[Security] Bump rexml from 3.2.5 to 3.3.2

Bumps rexml from 3.2.5 to 3.3.2. This update includes security fixes.

Vulnerabilities fixed

REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you may be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

• https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

Patched versions: 3.2.7
Affected versions: < 3.2.7

REXML denial of service vulnerability

Impact

The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

• https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/

Patched versions: 3.3.2
Affected versions: < 3.3.2

Release notes

Sourced from rexml's releases.

REXML 3.3.2 - 2024-07-16

Improvements

• Improved parse performance.

  • GH-160
  • Patch by NAITOH Jun.

• Improved parse performance.

  • GH-169
  • GH-170
  • GH-171
  • GH-172
  • GH-173
  • GH-174
  • GH-175
  • GH-176
  • GH-177
  • Patch by Watson.

• Added support for raising a parse exception when an XML has extra content after the root element.

  • GH-161
  • Patch by NAITOH Jun.

• Added support for raising a parse exception when an XML declaration exists in wrong position.

  • GH-162
  • Patch by NAITOH Jun.

• Removed needless a space after XML declaration in pretty print mode.

  • GH-164
  • Patch by NAITOH Jun.

• Stopped to emit :text event after the root element.

  • GH-167
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that SAX2 parser doesn't expand predefined entities for characters callback.
  • GH-168
  • Patch by NAITOH Jun.

Thanks

• NAITOH Jun

• Watson

... (truncated)

Changelog

Sourced from rexml's changelog.

3.3.2 - 2024-07-16 {#version-3-3-2}

Improvements

• Improved parse performance.

  • GH-160
  • Patch by NAITOH Jun.

• Improved parse performance.

  • GH-169
  • GH-170
  • GH-171
  • GH-172
  • GH-173
  • GH-174
  • GH-175
  • GH-176
  • GH-177
  • Patch by Watson.

• Added support for raising a parse exception when an XML has extra content after the root element.

  • GH-161
  • Patch by NAITOH Jun.

• Added support for raising a parse exception when an XML declaration exists in wrong position.

  • GH-162
  • Patch by NAITOH Jun.

• Removed needless a space after XML declaration in pretty print mode.

  • GH-164
  • Patch by NAITOH Jun.

• Stopped to emit :text event after the root element.

  • GH-167
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that SAX2 parser doesn't expand predefined entities for characters callback.
  • GH-168
  • Patch by NAITOH Jun.

Thanks

• NAITOH Jun

• Watson

... (truncated)

Commits

• 2b285ac Add 3.3.2 entry
• 0e33d3a test: improve linear performance test names
• 910e5a2 Fix performance issue caused by using repeated > characters inside `<xml><!...
• 1f1e6e9 Fix ReDoS by using repeated space characters inside `<!DOCTYPE name [<!ATTLIS...
• 1cc1d9a Suppress have_root not initialized warnings on Ruby < 3
• 67efb59 Fix performance issue caused by using repeated > characters inside `<!DOCTY...
• a79ac8b Fix performance issue caused by using repeated > characters inside `<!DOCTY...
• c33ea49 Fix performance issue caused by using repeated > characters after ` <!DOCTY...
• 9f1415a Fix performance issue caused by using repeated > characters inside `CDATA [...
• c1b64c1 Fix performance issue caused by using repeated > characters inside comments...
• Additional commits viewable in compare view