[CLSA-2026:1777973760] Fix CVE(s): CVE-2024-41123, CVE-2024-41946, CVE-2024-43398, CVE-2024-49761
Type:
security
Severity:
Important
Release date:
2026-05-05 16:33:26 UTC
Description:
* SECURITY UPDATE: REXML ReDoS via leading-zero hex character reference - debian/patches/CVE-2024-49761.patch: replace the /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ regex in unnormalize() with /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ so that �x...; is no longer accepted as a hex character reference, eliminating the catastrophic-backtracking ReDoS on inputs with many leading zeros. - CVE-2024-49761 * SECURITY UPDATE: REXML DoS via deep same-local-name attributes - debian/patches/CVE-2024-43398.patch: replace the per-attribute tree-walk in Element#[]= with an O(1) parse-time conflict check using a parser-level @namespaces hash and an expanded_names hash keyed on [uri, local_part]; seed @namespaces with the implicitly-bound xml prefix per upstream 78f8712 to avoid breaking XHTML documents that use both xml:lang and lang. - CVE-2024-43398 * SECURITY UPDATE: REXML DoS via entity expansion in SAX/pull parsers - debian/patches/CVE-2024-41946.patch: route the SAX2Parser :text handler through @parser.unnormalize (upstream prerequisite 4ebf21f), and add @entity_expansion_count + per-call sum/Security.entity_expansion_text_limit accounting in BaseParser so that billion-laughs-style XML triggers "entity expansion has grown too large" / "number of entity expansions exceeded" in SAX and pull mode, matching the existing DOM behaviour. - CVE-2024-41946 * SECURITY UPDATE: REXML DoS via slow processing-instruction parsing - debian/patches/CVE-2024-41123.patch: rewrite process_instruction to call parse_name and then match the content separately, avoiding the catastrophic-backtracking INSTRUCTION_PATTERN regex; grow the IOSource read buffer exponentially via min_bytes so that source.match() is O(log n) attempts rather than O(n) on inputs that never match the regex. - CVE-2024-41123 * Add debian/patches/rexml-cve-tests.patch with regression tests adapted from upstream for the four CVEs above; replaces assert_linear_performance (not available on 2.6) with Timeout-based guards and uses class+message form of assert_raise so the tests work under the bundled minitest-style Test::Unit.
Updated packages:
  • alt-ruby26_2.6.10-16_amd64.deb
    sha:4dd8a09851312949ba30a2de05690ec613961fe9
  • alt-ruby26-default-gems_2.6.10-16_amd64.deb
    sha:d8aca07c3f9b58f5d86418e483b0571c76c1cd43
  • alt-ruby26-devel_2.6.10-16_amd64.deb
    sha:8ff23587cd9bda1597581e76730e2914da71dc56
  • alt-ruby26-devel-doc_2.6.10-16_amd64.deb
    sha:ca0261d28e1f6fc483b2c7c0d7fce516535e333e
  • alt-ruby26-doc_2.6.10-16_amd64.deb
    sha:dae18b235a9e4ed1a5068b728748c92b4d29204a
  • alt-ruby26-libs_2.6.10-16_amd64.deb
    sha:e9ef6b4063c4bd2f03168a060fa0e17f1415af07
  • alt-ruby26-rubygem-bigdecimal_1.4.1-16_amd64.deb
    sha:07486921b551202654c29173723e448bf97adce2
  • alt-ruby26-rubygem-did-you-mean_2.6.10-16_amd64.deb
    sha:bf1ae35fd205675ac8d58ced3ea05b19eb2912b6
  • alt-ruby26-rubygem-io-console_0.4.7-16_amd64.deb
    sha:80a5f9ff23c4ed35ac4564cba0450d1450c6c426
  • alt-ruby26-rubygem-json_2.1.0-16_amd64.deb
    sha:6066ef155326e1318ae8e001fc4b62379a56bb05
  • alt-ruby26-rubygem-minitest_5.11.3-16_amd64.deb
    sha:5bb53b5f86126bb48dbfa1fe1952bc8ace96395b
  • alt-ruby26-rubygem-net-telnet_0.2.0-16_amd64.deb
    sha:936701f7101bde6183be8100b3df8046b5d0e7c6
  • alt-ruby26-rubygem-openssl_2.6.10-16_amd64.deb
    sha:b78b93170c2abe2f35c97e52a5235e28aad221e2
  • alt-ruby26-rubygem-power-assert_1.1.3-16_amd64.deb
    sha:2fdfb37e0821dd9da85a11770c3024fdb40cafa6
  • alt-ruby26-rubygem-psych_3.1.0-16_amd64.deb
    sha:801ad1d4988419de298bf36d4a4c5a5181749c7e
  • alt-ruby26-rubygem-rake_12.3.3-16_amd64.deb
    sha:df8fa777bb508178e8d7510fceabfefacbde4366
  • alt-ruby26-rubygem-rdoc_6.1.2.1-16_amd64.deb
    sha:7f65edd20369b9350e45708f85f48f1fcfbf3415
  • alt-ruby26-rubygem-test-unit_3.2.9-16_amd64.deb
    sha:bad905ddc247702e7ab38df54395a37cbd19867c
  • alt-ruby26-rubygem-typeprof_2.6.10-16_amd64.deb
    sha:7789c404d3ec88481a2be0f17b34a463d0889154
  • alt-ruby26-rubygem-xmlrpc_0.3.0-16_amd64.deb
    sha:c4d43257a24a314cb58aa85b67682f5b045e5d76
  • alt-ruby26-rubygems_3.0.3.1-16_amd64.deb
    sha:1f2fc36cb7adb42d326274ebab461e95cc7aa575
  • alt-ruby26-rubygems-devel_3.0.3.1-16_amd64.deb
    sha:26fd9d62d8f106a764f407f3859b3f7d3ceaac27
  • alt-ruby26_2.6.10-16_arm64.deb
    sha:b4e3c03d00d63863fb9ae6494bdc176d12a6e3be
  • alt-ruby26-default-gems_2.6.10-16_arm64.deb
    sha:296e471dc56eca9d679c7dba23e9f59687c34dcb
  • alt-ruby26-devel_2.6.10-16_arm64.deb
    sha:16cd179cf1d2966f1386c8578ab025c38d888afc
  • alt-ruby26-devel-doc_2.6.10-16_arm64.deb
    sha:0619936926759238fef291d27f6ed79edfa960fd
  • alt-ruby26-doc_2.6.10-16_arm64.deb
    sha:9af4c925e8523b50de24406046efd2ec11d8fc70
  • alt-ruby26-libs_2.6.10-16_arm64.deb
    sha:cc9d055a5494c3571267f1045ec9ec042490f436
  • alt-ruby26-rubygem-bigdecimal_1.4.1-16_arm64.deb
    sha:7dd7eb12d3f71593e8a9bc7a96b5f838d7418d67
  • alt-ruby26-rubygem-did-you-mean_2.6.10-16_arm64.deb
    sha:bde024feb48e104286e0e88005e0c111fafa5f4f
  • alt-ruby26-rubygem-io-console_0.4.7-16_arm64.deb
    sha:0019e3ab9e10098945fac2d293e37ac0b340e1bb
  • alt-ruby26-rubygem-json_2.1.0-16_arm64.deb
    sha:bf2042ed3d5e7bac285182854fe1b89e1c45e851
  • alt-ruby26-rubygem-minitest_5.11.3-16_arm64.deb
    sha:0ec4a9861acd984bd99eb49f74cadb4dc3607a8b
  • alt-ruby26-rubygem-net-telnet_0.2.0-16_arm64.deb
    sha:b101817d2c80689ec0cb3c8fa7daa54ad818990a
  • alt-ruby26-rubygem-openssl_2.6.10-16_arm64.deb
    sha:3c66e4e4aad89bbc92525673da8785eb982e8491
  • alt-ruby26-rubygem-power-assert_1.1.3-16_arm64.deb
    sha:c05d0807e223fc764f83c020eddbb9e617a5cbf8
  • alt-ruby26-rubygem-psych_3.1.0-16_arm64.deb
    sha:99011479c92ddc0fb8e7e7f6fc2151ed4bca3f9e
  • alt-ruby26-rubygem-rake_12.3.3-16_arm64.deb
    sha:9ff47809dc9246896a847911c3e27f5d30246d73
  • alt-ruby26-rubygem-rdoc_6.1.2.1-16_arm64.deb
    sha:87884237017372023a41980df60c9d055880710c
  • alt-ruby26-rubygem-test-unit_3.2.9-16_arm64.deb
    sha:8a0947601734f9daa39d7a600db6aba5198f3c8e
  • alt-ruby26-rubygem-typeprof_2.6.10-16_arm64.deb
    sha:1e76fc25d9272d4de64741a959bbe1e4d9a24b23
  • alt-ruby26-rubygem-xmlrpc_0.3.0-16_arm64.deb
    sha:69379f34f6167edc90d1d1c7429e555370235ed5
  • alt-ruby26-rubygems_3.0.3.1-16_arm64.deb
    sha:421ba0c96b87cc126e1760c8bdb53b45bf4b3a5e
  • alt-ruby26-rubygems-devel_3.0.3.1-16_arm64.deb
    sha:235d78e03b5232987e975fa67c6dd4738a2338cf
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.