[Security] Bump rexml from 3.2.5 to 3.3.3
Bumps rexml from 3.2.5 to 3.3.3. This update includes security fixes.
Vulnerabilities fixed
REXML contains a denial of service vulnerability
Impact
The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many
<s in an attribute value.If you need to parse untrusted XMLs, you may be impacted to this vulnerability.
Patches
The REXML gem 3.2.7 or later include the patch to fix this vulnerability.
Workarounds
Don't parse untrusted XMLs.
References
Patched versions: 3.2.7
Affected versions: < 3.2.7
REXML denial of service vulnerability
Impact
The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as
<,0and%>.If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
Patches
The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.
Workarounds
Don't parse untrusted XMLs.
References
- https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
- https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
Patched versions: 3.3.2
Affected versions: < 3.3.2
REXML DoS vulnerability
Impact
The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character,
>]and]>.If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
Patches
The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.
Workarounds
Don't parse untrusted XMLs.
References
- https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
- https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org
Patched versions: 3.3.3
Affected versions: < 3.3.3
Release notes
Sourced from rexml's releases.
REXML 3.3.3 - 2024-08-01
Improvements
Added support for detecting invalid XML that has unsupported content before root element
- GH-184
- Patch by NAITOH Jun.
Added support for
REXML::Security.entity_expansion_limit=andREXML::Security.entity_expansion_text_limit=in SAX2 and pull parsers
- GH-187
- Patch by NAITOH Jun.
Added more tests for invalid XMLs.
- GH-183
- Patch by Watson.
Added more performance tests.
- Patch by Watson.
Improved parse performance.
- GH-186
- Patch by tomoya ishida.
Thanks
NAITOH Jun
Watson
tomoya ishida
REXML 3.3.2 - 2024-07-16
Improvements
... (truncated)
Changelog
Sourced from rexml's changelog.
3.3.3 - 2024-08-01 {#version-3-3-3}
Improvements
Added support for detecting invalid XML that has unsupported content before root element
- GH-184
- Patch by NAITOH Jun.
Added support for
REXML::Security.entity_expansion_limit=andREXML::Security.entity_expansion_text_limit=in SAX2 and pull parsers
- GH-187
- Patch by NAITOH Jun.
Added more tests for invalid XMLs.
- GH-183
- Patch by Watson.
Added more performance tests.
- Patch by Watson.
Improved parse performance.
- GH-186
- Patch by tomoya ishida.
Thanks
NAITOH Jun
Watson
tomoya ishida
3.3.2 - 2024-07-16 {#version-3-3-2}
Improvements
... (truncated)
Commits
-
e4a067eAdd 3.3.3 entry -
17ff3e7test: add a performance test for attribute list declaration -
be86b3dtest: fix wrong test name -
b93d790test: use double quote for string literal -
0fbe7d5test: don't use abbreviated name -
1599e87test: add a performance test for PI with many tabs -
e2546e6parse pi: improve invalid case detection -
73661eftest: fix a typo -
850488atest: use double quote for string literal -
46c6397test: add performance tests for entity declaration - Additional commits viewable in compare view