[Security] Bump rexml from 3.2.5 to 3.2.9

Bumps rexml from 3.2.5 to 3.2.9. This update includes a security fix.

Vulnerabilities fixed

REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you many be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

• https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

Patched versions: 3.2.7 Affected versions: < 3.2.7

Release notes

Sourced from rexml's releases.

REXML 3.2.9 - 2024-06-19

Improvements

• Added support for old strscan.

  • GH-132
  • Reported by Adam

• Improved attribute value parse performance.

  • GH-135
  • Patch by NAITOH Jun.

• Improved REXML::Node#each_recursive performance.

  • GH-134
  • GH-139
  • Patch by Hiroya Fujinami.

• Improved text parse performance.

  • Reported by mprogrammer.

Thanks

• Adam
• NAITOH Jun
• Hiroya Fujinami
• mprogrammer

REXML 3.2.8 - 2024-05-16

Fixes

• Suppressed a warning

REXML 3.2.7 - 2024-05-16

Improvements

• Improve parse performance by using StringScanner.

  • GH-106
  • GH-107
  • GH-108
  • GH-109
  • GH-112
  • GH-113
  • GH-114
  • GH-115
  • GH-116
  • GH-117
  • GH-118
  • GH-119

... (truncated)

Changelog

Sourced from rexml's changelog.

3.2.9 - 2024-06-19 {#version-3-2-9}

Improvements

• Added support for old strscan.

  • GH-132
  • Reported by Adam

• Improved attribute value parse performance.

  • GH-135
  • Patch by NAITOH Jun.

• Improved REXML::Node#each_recursive performance.

  • GH-134
  • GH-139
  • Patch by Hiroya Fujinami.

• Improved text parse performance.

  • Reported by mprogrammer.

Thanks

• Adam
• NAITOH Jun
• Hiroya Fujinami
• mprogrammer

3.2.8 - 2024-05-16 {#version-3-2-8}

Fixes

• Suppressed a warning

3.2.7 - 2024-05-16 {#version-3-2-7}

Improvements

• Improve parse performance by using StringScanner.

  • GH-106
  • GH-107
  • GH-108
  • GH-109
  • GH-112
  • GH-113
  • GH-114
  • GH-115
  • GH-116
  • GH-117
  • GH-118

... (truncated)

Commits

• 964c9dc Add 3.2.9 entry
• e06b3fb Improve text parse performance
• dab8065 Improve Node#each_recursive performance (#139)
• da67561 test: reduce the number of rehearsal executions
• 2fc3f79 test: improve name
• d5ddbff benchmark: Remove non-parsing operations from the DOM case (#136)
• 037c16a Optimize Source#read_until method (#135)
• 3e3893d Source#read_until: Add missing position move on all read
• 4444a04 Add missing encode for custom term
• f59790b Fix the NEWS.md and change PR reference that fixes CVE-2024-35176 (#133)
• Additional commits viewable in compare view