Skip to content

[Security] Bump rexml from 3.2.5 to 3.3.0

HIFIS Bot requested to merge dependabot-bundler-rexml-3.3.0 into master

Bumps rexml from 3.2.5 to 3.3.0. This update includes a security fix.

Vulnerabilities fixed

REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you many be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

Patched versions: 3.2.7 Affected versions: < 3.2.7

Release notes

Sourced from rexml's releases.

REXML 3.3.0 - 2024-06-11

Improvements

  • Added support for strscan 0.7.0 installed with Ruby 2.6.
    • GH-142
    • Reported by Fernando Trigoso.

Thanks

  • Fernando Trigoso

REXML 3.2.9 - 2024-06-09

Improvements

  • Added support for old strscan.

  • Improved attribute value parse performance.

  • Improved REXML::Node#each_recursive performance.

  • Improved text parse performance.

    • Reported by mprogrammer.

Thanks

  • Adam
  • NAITOH Jun
  • Hiroya Fujinami
  • mprogrammer

REXML 3.2.8 - 2024-05-16

Fixes

  • Suppressed a warning

REXML 3.2.7 - 2024-05-16

Improvements

  • Improve parse performance by using StringScanner.

... (truncated)

Changelog

Sourced from rexml's changelog.

3.3.0 - 2024-06-11 {#version-3-3-0}

Improvements

  • Added support for strscan 0.7.0 installed with Ruby 2.6.
    • GH-142
    • Reported by Fernando Trigoso.

Thanks

  • Fernando Trigoso

3.2.9 - 2024-06-09 {#version-3-2-9}

Improvements

  • Added support for old strscan.

  • Improved attribute value parse performance.

  • Improved REXML::Node#each_recursive performance.

  • Improved text parse performance.

    • Reported by mprogrammer.

Thanks

  • Adam
  • NAITOH Jun
  • Hiroya Fujinami
  • mprogrammer

3.2.8 - 2024-05-16 {#version-3-2-8}

Fixes

  • Suppressed a warning

3.2.7 - 2024-05-16 {#version-3-2-7}

Improvements

  • Improve parse performance by using StringScanner.

... (truncated)

Commits
  • 8247bdc Add 3.3.0 entry
  • 0d9b98c ci: don't use Ruby 2.5 for gem test
  • 31738cc Add support for strscan 0.7.0 installed with Ruby 2.6
  • a7d66f2 ci document: use the latest Ruby
  • 5078c86 news: fix a typo
  • 7ca7ccd Bump version
  • 964c9dc Add 3.2.9 entry
  • e06b3fb Improve text parse performance
  • dab8065 Improve Node#each_recursive performance (#139)
  • da67561 test: reduce the number of rehearsal executions
  • Additional commits viewable in compare view

Merge request reports

A HIFIS Service | Privacy | Imprint | Support | Documentation | Changelog