Bug 57898 - ruby2.5: Multiple issues (5.0)
Summary: ruby2.5: Multiple issues (5.0)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 5.0
Hardware: All Linux
: P3 normal
Target Milestone: UCS 5.0-9-errata
Assignee: Quality Assurance
QA Contact: Christian Castens
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-27 13:46 CET by Quality Assurance
Modified: 2025-01-29 16:07 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2025-01-27 13:46:51 CET 
New Debian ruby2.5 2.5.5-3+deb10u8 fixes:
This update addresses the following issues:

Debian update 2.5.5-3+deb10u8
2.5.5-3+deb10u8 (Sun, 26 Jan 2025 14:32:05 +0000)
* Non-maintainer upload by the ELTS Security Team.
* Upgrade rexml gems from 3.1.7.3 to 3.2.3.1
* Fix CVE-2024-35176: REXML is an XML toolkit for Ruby. The REXML gem has a  Denial of Service (DoS) vulnerability when it parses an XML that has many  `<`s in an attribute value. Those who need to parse untrusted XMLs may be  impacted to this vulnerability
* Fix CVE-2024-39908: REXML is an XML toolkit for Ruby. The REXML gem has  some Denial of Service (DoS) vulnerabilities when it parses an XML that has  many specific characters such as `<`, `0` and `%>`. If you need to parse  untrusted XMLs, you many be impacted to these vulnerabilities.
* Fix CVE-2024-41123: REXML is an XML toolkit for Ruby. The REXML gem has  some Denial of Service (DoS) vulnerabilities when it parses an XML that has  many specific characters such as whitespace character, >] and ]>. If you  need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
* Fix CVE-2024-41946: REXML is an XML toolkit for Ruby. The REXML gem had a  Denial of Service (DoS) vulnerability when it parses an XML that has many  entity expansions with SAX2 or pull parser API.
* Fix CVE-2024-43398: REXML is an XML toolkit for Ruby. The REXML gem before  3.3.6 has a Denial of Service (DoS) vulnerability when it parses an XML  that has many deep elements that have same local name attributes. If you  need to parse untrusted XMLs with tree parser API like REXML::Document.new,  you may be impacted to this vulnerability. If you use other parser APIs  such as stream parser API and SAX2 parser API, you are not impacted.
* Fix CVE-2024-49761: REXML is an XML toolkit for Ruby. The REXML gem before  3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits  between &# and x...; in a hex numeric character reference (&#x...;).
Comment 1 Quality Assurance univentionstaff 2025-01-27 14:00:10 CET 
--- mirror/ftp/pool/main/r/ruby2.5/ruby2.5_2.5.5-3+deb10u7.dsc
+++ apt/ucs_5.0-0-errata5.0-9/source/ruby2.5_2.5.5-3+deb10u8.dsc
@@ -1,3 +1,41 @@
+2.5.5-3+deb10u8 [Sun, 26 Jan 2025 14:32:05 +0000] Bastien Roucariès <rouca@debian.org>:
+
+  * Non-maintainer upload by the ELTS Security Team.
+  * Upgrade rexml gems from 3.1.7.3 to 3.2.3.1
+  * Fix CVE-2024-35176: REXML is an XML toolkit for Ruby.
+    The REXML gem has a Denial of Service (DoS) vulnerability
+    when it parses an XML that has many `<`s in
+    an attribute value. Those who need to parse
+    untrusted XMLs may be impacted to this vulnerability
+  * Fix CVE-2024-39908: REXML is an XML toolkit for Ruby.
+    The REXML gem has some Denial of Service (DoS) vulnerabilities
+    when it parses an XML that has many specific characters such
+    as `<`, `0` and `%>`. If you need to parse untrusted XMLs,
+    you many be impacted to these vulnerabilities.
+  * Fix CVE-2024-41123: REXML is an XML toolkit for Ruby.
+    The REXML gem has some Denial of Service (DoS) vulnerabilities
+    when it parses an XML that has many specific characters
+    such as whitespace character, >] and ]>.
+    If you need to parse untrusted XMLs, you may be impacted
+    to these vulnerabilities.
+  * Fix CVE-2024-41946: REXML is an XML toolkit for Ruby.
+    The REXML gem had a Denial of Service (DoS) vulnerability
+    when it parses an XML that has many entity expansions
+    with SAX2 or pull parser API.
+  * Fix CVE-2024-43398: REXML is an XML toolkit for Ruby.
+    The REXML gem before 3.3.6 has a Denial of Service (DoS)
+    vulnerability when it parses an XML that has many deep
+    elements that have same local name attributes.
+    If you need to parse untrusted XMLs with tree parser
+    API like REXML::Document.new, you may be impacted
+    to this vulnerability. If you use other parser APIs
+    such as stream parser API and SAX2 parser API,
+    you are not impacted.
+  * Fix CVE-2024-49761: REXML is an XML toolkit for Ruby.
+    The REXML gem before 3.3.9 has a ReDoS vulnerability
+    when it parses an XML that has many digits between
+    &# and x...; in a hex numeric character reference (&#x...;).
+
 2.5.5-3+deb10u7 [Sat, 10 Aug 2024 11:34:49 +0200] Sylvain Beucler <beuc@debian.org>:
 
   * Non-maintainer upload by the ELTS Security Team.

<http://piuparts.knut.univention.de/5.0-9/#6123081336265285318>
Comment 2 Christian Castens univentionstaff 2025-01-28 14:08:27 CET 
OK: bug
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-9] 92acd7f7b8 Bug #57898: ruby2.5 2.5.5-3+deb10u8
 doc/errata/staging/ruby2.5.yaml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
Comment 3 Christian Castens univentionstaff 2025-01-29 16:07:42 CET 
<https://errata.software-univention.de/#/?erratum=5.0x1206>