Release date:
2026-05-07 15:05:41 UTC
Description:
* SECURITY UPDATE: REXML ReDoS via leading-zero hex character reference
- debian/patches/CVE-2024-49761.patch: replace the
/�*((?:\d+)|(?:x[a-fA-F0-9]+));/ regex in unnormalize() with
/&#((?:\d+)|(?:x[a-fA-F0-9]+));/ so that �x...; is no longer
accepted as a hex character reference, eliminating the
catastrophic-backtracking ReDoS on inputs with many leading
zeros.
- CVE-2024-49761
* SECURITY UPDATE: REXML DoS via deep same-local-name attributes
- debian/patches/CVE-2024-43398.patch: replace the per-attribute
tree-walk in Element#[]= with an O(1) parse-time conflict check
using a parser-level @namespaces hash and an expanded_names
hash keyed on [uri, local_part]; seed @namespaces with the
implicitly-bound xml prefix per upstream 78f8712 to avoid
breaking XHTML documents that use both xml:lang and lang.
- CVE-2024-43398
* SECURITY UPDATE: REXML DoS via entity expansion in SAX/pull parsers
- debian/patches/CVE-2024-41946.patch: route the SAX2Parser :text
handler through @parser.unnormalize (upstream prerequisite
4ebf21f), and add @entity_expansion_count + per-call
sum/Security.entity_expansion_text_limit accounting in
BaseParser so that billion-laughs-style XML triggers
"entity expansion has grown too large" / "number of entity
expansions exceeded" in SAX and pull mode, matching the
existing DOM behaviour.
- CVE-2024-41946
* SECURITY UPDATE: REXML DoS via slow processing-instruction parsing
- debian/patches/CVE-2024-41123.patch: rewrite process_instruction
to call parse_name and then match the content separately,
avoiding the catastrophic-backtracking INSTRUCTION_PATTERN
regex; grow the IOSource read buffer exponentially via
min_bytes so that source.match() is O(log n) attempts rather
than O(n) on inputs that never match the regex.
- CVE-2024-41123
Updated packages:
-
alt-ruby30_3.0.7-171_amd64.deb
sha:6a9aba4842e7d3274263084845da85c0749591fd
-
alt-ruby30-default-gems_3.0.7-171_amd64.deb
sha:05b98fe73d50d4ab8f4e959f4ed8b7f7e14db96c
-
alt-ruby30-devel_3.0.7-171_amd64.deb
sha:ea68e4184b6c96c41f0239a652eed0c2f660229b
-
alt-ruby30-doc_3.0.7-171_amd64.deb
sha:8c97d776dee8e0b41bdf725eeafd04f146c9ef64
-
alt-ruby30-libs_3.0.7-171_amd64.deb
sha:7e6d991bcf716f35deab88c268f625d2f6becf3a
-
alt-ruby30-rubygem-bigdecimal_3.0.0-171_amd64.deb
sha:1ad24376e0b52dea678e5f2f843e5edacd99a163
-
alt-ruby30-rubygem-bundler_2.2.33-171_amd64.deb
sha:e8aad0461cd3e7083fdf5b34a296ba7f2644c139
-
alt-ruby30-rubygem-io-console_0.5.7-171_amd64.deb
sha:50b0804c2095f3c7b0609324880fecfcbdba7a5e
-
alt-ruby30-rubygem-irb_1.3.5-171_amd64.deb
sha:f296889301a77163a936ed4a8e74c785331839f2
-
alt-ruby30-rubygem-json_2.5.1-171_amd64.deb
sha:77b30aa8059cbd9b551d4c2f67b431cc765361a3
-
alt-ruby30-rubygem-minitest_5.14.2-171_amd64.deb
sha:3b77e26aea1b259e746efbb5a8b4a3019cb00d90
-
alt-ruby30-rubygem-power-assert_1.2.1-171_amd64.deb
sha:c95e66aecec6e5148473e5c809b6db68f4926497
-
alt-ruby30-rubygem-psych_3.3.2-171_amd64.deb
sha:4ede1fe212bff9430321c43985e41317ef92e0b2
-
alt-ruby30-rubygem-rake_13.0.3-171_amd64.deb
sha:8c759c832613554c79196f84163523cd0131eca6
-
alt-ruby30-rubygem-rbs_1.4.0-171_amd64.deb
sha:2e8a6a32ba3fb8ac6e662a81cc889c3e385e6f38
-
alt-ruby30-rubygem-rdoc_6.3.4.1-171_amd64.deb
sha:973f6e5895c72cbc7c1e48dd94e37e1f149998b5
-
alt-ruby30-rubygem-rexml_3.2.5-171_amd64.deb
sha:c9ea22cf3be8a5a321e55a02c5077b7ee0ee9590
-
alt-ruby30-rubygem-rss_0.2.9-171_amd64.deb
sha:1818690f40f4c9f439d13ce52a3c2c5111bbf024
-
alt-ruby30-rubygem-test-unit_3.3.7-171_amd64.deb
sha:d3f0cf0310d7911d9e70b5fc8d35f232cdf63b96
-
alt-ruby30-rubygem-typeprof_0.15.2-171_amd64.deb
sha:b262b34b0db22f52cdc02dab3f0655cfdf6b5775
-
alt-ruby30-rubygems_3.2.33-171_amd64.deb
sha:2c58d42064b7c5093b6d0ff1c4888b4b956800bd
-
alt-ruby30-rubygems-devel_3.2.33-171_amd64.deb
sha:9c32fb9bbb53a57bfbf595ef2c552015910e6178
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
