Source: ruby3.3 Version: 3.3.4-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: clone -1 -2 -3 Control: reassign -2 ruby3.2 3.2.3-1 Control: retitle -2 ruby3.2: CVE-2024-39908 Control: reassign -3 ruby3.1 3.1.2-8.3 Control: retitle -3 ruby3.1: CVE-2024-39908
Hi, The following vulnerability was published for the rexml library bundled in ruby. CVE-2024-39908[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has | some DoS vulnerabilities when it parses an XML that has many | specific characters such as `<`, `0` and `%>`. If you need to parse | untrusted XMLs, you many be impacted to these vulnerabilities. The | REXML gem 3.3.2 or later include the patches to fix these | vulnerabilities. Users are advised to upgrade. Users unable to | upgrade should avoid parsing untrusted XML strings. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-39908 https://www.cve.org/CVERecord?id=CVE-2024-39908 [1] https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore