Mageia 9: 2025-0001 Critical: ruby DoS Fixes for REXML Gems
mageia
January 4, 2025
The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value
Summary
The REXML gem before 3.2.6 has a denial of service vulnerability when it
parses an XML that has many `<`s in an attribute value. (CVE-2024-35176)
The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses
an XML that has many specific characters such as `<`, `0` and `%>`.
(CVE-2024-39908)
The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses
an XML that has many specific characters such as whitespace character,
`>]` and `]>`. (CVE-2024-41123)
The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that
has many entity expansions with SAX2 or pull parser API.
(CVE-2024-41946)
The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML
that has many deep elements that have same local name attributes.
(CVE-2024-43398)
The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an
XML that has many digits between &# and x...; in a hex numeric character
reference (&#x...;). (CVE-2024-49761)
References
- https://bugs.mageia.org/show_bug.cgi?id=33576
- https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
- https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/
- https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQWXWS2GDTKX4LYWHQOZ2PWXDEICDX2W/
- https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/
- https://ubuntu.com/security/notices/USN-7091-1
- https://www.cve.org/CVERecord?id=CVE-2024-35176
- https://www.cve.org/CVERecord?id=CVE-2024-39908
- https://www.cve.org/CVERecord?id=CVE-2024-41123
- https://www.cve.org/CVERecord?id=CVE-2024-41946
- https://www.cve.org/CVERecord?id=CVE-2024-43398
- https://www.cve.org/CVERecord?id=CVE-2024-49761
Topics Covered
Resolution
SRPMS
- 9/core/ruby-3.1.5-46.mga9
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 04 Jan 2025
URL: https://advisories.mageia.org/MGASA-2025-0001.html
Type: security
CVE: CVE-2024-35176,
CVE-2024-39908,
CVE-2024-41123,
CVE-2024-41946,
CVE-2024-43398,
CVE-2024-49761
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!