[Security] Bump rexml from 3.2.5 to 3.3.1

Bumps rexml from 3.2.5 to 3.3.1. This update includes a security fix.

Vulnerabilities fixed

REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you many be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

• https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

Patched versions: 3.2.7 Affected versions: < 3.2.7

Release notes

Sourced from rexml's releases.

REXML 3.3.1 - 2024-06-25

Improvements

• Added support for detecting malformed top-level comments.

  • GH-145
  • Patch by Hiroya Fujinami.

• Improved REXML::Element#attribute performance.

  • GH-146
  • Patch by Hiroya Fujinami.

• Added support for detecting malformed <!--> comments.

  • GH-147
  • Patch by Hiroya Fujinami.

• Added support for detecting unclosed DOCTYPE.

  • GH-152
  • Patch by Hiroya Fujinami.

• Added changlog_uri metadata to gemspec.

  • GH-156
  • Patch by fynsta.

• Improved parse performance.

  • GH-157
  • GH-158
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that large XML can't be parsed.

  • GH-154
  • Patch by NAITOH Jun.

• Fixed a bug that private constants are visible.

  • GH-155
  • Patch by NAITOH Jun.

Thanks

• Hiroya Fujinami

• NAITOH Jun

• fynsta

REXML 3.3.0 - 2024-06-11

Improvements

... (truncated)

Changelog

Sourced from rexml's changelog.

3.3.1 - 2024-06-25 {#version-3-3-1}

Improvements

• Added support for detecting malformed top-level comments.

  • GH-145
  • Patch by Hiroya Fujinami.

• Improved REXML::Element#attribute performance.

  • GH-146
  • Patch by Hiroya Fujinami.

• Added support for detecting malformed <!--> comments.

  • GH-147
  • Patch by Hiroya Fujinami.

• Added support for detecting unclosed DOCTYPE.

  • GH-152
  • Patch by Hiroya Fujinami.

• Added changlog_uri metadata to gemspec.

  • GH-156
  • Patch by fynsta.

• Improved parse performance.

  • GH-157
  • GH-158
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that large XML can't be parsed.

  • GH-154
  • Patch by NAITOH Jun.

• Fixed a bug that private constants are visible.

  • GH-155
  • Patch by NAITOH Jun.

Thanks

• Hiroya Fujinami

• NAITOH Jun

• fynsta

3.3.0 - 2024-06-11 {#version-3-3-0}

Improvements

... (truncated)

Commits

• 20017ee Add 3.3.1 entry
• a579730 Optimize BaseParser#unnormalize method (#158)
• e6e07f2 Reuse of Set.new at prefixes variables (#157)
• 22d206a Add changelog_uri to gemspec (#156)
• cfa8dd9 Don't include private_constant-ed module (#155)
• 4c28808 Fix a bug that a large XML can't be parsed (#154)
• f704011 Reject unclosed DOCTYPE on parsing (#153)
• d906ae2 Add a "Malformed comment" check for invalid comments such as \<!--> (#147)
• 1e31ffc Fix small typos (#148)
• 3b026f8 Improve Element#attribute implementation as 6500x faster (#146)
• Additional commits viewable in compare view