[CLSA-2026:1777999412] Fix CVE(s): CVE-2024-41123, CVE-2024-41946, CVE-2024-43398, CVE-2024-49761
Type:
security
Severity:
Important
Release date:
2026-05-05 16:43:39 UTC
Description:
* SECURITY UPDATE: REXML ReDoS via leading-zero hex character reference - debian/patches/CVE-2024-49761.patch: replace the /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ regex in unnormalize() with /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ so that �x...; is no longer accepted as a hex character reference, eliminating the catastrophic-backtracking ReDoS on inputs with many leading zeros. - CVE-2024-49761 * SECURITY UPDATE: REXML DoS via deep same-local-name attributes - debian/patches/CVE-2024-43398.patch: replace the per-attribute tree-walk in Element#[]= with an O(1) parse-time conflict check using a parser-level @namespaces hash and an expanded_names hash keyed on [uri, local_part]; seed @namespaces with the implicitly-bound xml prefix per upstream 78f8712 to avoid breaking XHTML documents that use both xml:lang and lang. - CVE-2024-43398 * SECURITY UPDATE: REXML DoS via entity expansion in SAX/pull parsers - debian/patches/CVE-2024-41946.patch: route the SAX2Parser :text handler through @parser.unnormalize (upstream prerequisite 4ebf21f), and add @entity_expansion_count + per-call sum/Security.entity_expansion_text_limit accounting in BaseParser so that billion-laughs-style XML triggers "entity expansion has grown too large" / "number of entity expansions exceeded" in SAX and pull mode, matching the existing DOM behaviour. - CVE-2024-41946 * SECURITY UPDATE: REXML DoS via slow processing-instruction parsing - debian/patches/CVE-2024-41123.patch: rewrite process_instruction to call parse_name and then match the content separately, avoiding the catastrophic-backtracking INSTRUCTION_PATTERN regex; grow the IOSource read buffer exponentially via min_bytes so that source.match() is O(log n) attempts rather than O(n) on inputs that never match the regex. - CVE-2024-41123 * Add debian/patches/rexml-cve-tests.patch with regression tests adapted from upstream for the four CVEs above; replaces assert_linear_performance (not available on 2.6) with Timeout-based guards and uses class+message form of assert_raise so the tests work under the bundled minitest-style Test::Unit.
Updated packages:
  • alt-ruby26_2.6.10-16_amd64.deb
    sha:71dbd91e646969673667052e68ab02a347bed18f
  • alt-ruby26-default-gems_2.6.10-16_amd64.deb
    sha:d8aca07c3f9b58f5d86418e483b0571c76c1cd43
  • alt-ruby26-devel_2.6.10-16_amd64.deb
    sha:6d5b7da0560537554c8d4fa78ea960985bb52c7b
  • alt-ruby26-devel-doc_2.6.10-16_amd64.deb
    sha:ca0261d28e1f6fc483b2c7c0d7fce516535e333e
  • alt-ruby26-doc_2.6.10-16_amd64.deb
    sha:dae18b235a9e4ed1a5068b728748c92b4d29204a
  • alt-ruby26-libs_2.6.10-16_amd64.deb
    sha:f096263de8ec7354277c5a83bfadec9490e4ec5c
  • alt-ruby26-rubygem-bigdecimal_1.4.1-16_amd64.deb
    sha:3d9f436e4d176547a92fb629aa222e58eb56e1c7
  • alt-ruby26-rubygem-did-you-mean_2.6.10-16_amd64.deb
    sha:bf1ae35fd205675ac8d58ced3ea05b19eb2912b6
  • alt-ruby26-rubygem-io-console_0.4.7-16_amd64.deb
    sha:877278afbcca9892d90ba9348750d71e11c1f289
  • alt-ruby26-rubygem-json_2.1.0-16_amd64.deb
    sha:d3ecdbe689c94d497a6c6ef1bf6ee9dcbc4b4a8b
  • alt-ruby26-rubygem-minitest_5.11.3-16_amd64.deb
    sha:5bb53b5f86126bb48dbfa1fe1952bc8ace96395b
  • alt-ruby26-rubygem-net-telnet_0.2.0-16_amd64.deb
    sha:936701f7101bde6183be8100b3df8046b5d0e7c6
  • alt-ruby26-rubygem-openssl_2.6.10-16_amd64.deb
    sha:08bbb8a05ddb56b0ef6d4bcb7251e996db5f7898
  • alt-ruby26-rubygem-power-assert_1.1.3-16_amd64.deb
    sha:2fdfb37e0821dd9da85a11770c3024fdb40cafa6
  • alt-ruby26-rubygem-psych_3.1.0-16_amd64.deb
    sha:e71d42a5562290afcb484b749c92de018736dd2e
  • alt-ruby26-rubygem-rake_12.3.3-16_amd64.deb
    sha:df8fa777bb508178e8d7510fceabfefacbde4366
  • alt-ruby26-rubygem-rdoc_6.1.2.1-16_amd64.deb
    sha:7f65edd20369b9350e45708f85f48f1fcfbf3415
  • alt-ruby26-rubygem-test-unit_3.2.9-16_amd64.deb
    sha:bad905ddc247702e7ab38df54395a37cbd19867c
  • alt-ruby26-rubygem-typeprof_2.6.10-16_amd64.deb
    sha:7789c404d3ec88481a2be0f17b34a463d0889154
  • alt-ruby26-rubygem-xmlrpc_0.3.0-16_amd64.deb
    sha:c4d43257a24a314cb58aa85b67682f5b045e5d76
  • alt-ruby26-rubygems_3.0.3.1-16_amd64.deb
    sha:1f2fc36cb7adb42d326274ebab461e95cc7aa575
  • alt-ruby26-rubygems-devel_3.0.3.1-16_amd64.deb
    sha:26fd9d62d8f106a764f407f3859b3f7d3ceaac27
  • alt-ruby26_2.6.10-16_arm64.deb
    sha:f567993ce5512d6195c3468653dbe74a59b52036
  • alt-ruby26-default-gems_2.6.10-16_arm64.deb
    sha:296e471dc56eca9d679c7dba23e9f59687c34dcb
  • alt-ruby26-devel_2.6.10-16_arm64.deb
    sha:0f242baae50f658d5cb197f80de0ab3d23144704
  • alt-ruby26-devel-doc_2.6.10-16_arm64.deb
    sha:0619936926759238fef291d27f6ed79edfa960fd
  • alt-ruby26-doc_2.6.10-16_arm64.deb
    sha:9af4c925e8523b50de24406046efd2ec11d8fc70
  • alt-ruby26-libs_2.6.10-16_arm64.deb
    sha:d12759b9c7fed36edc950f9410212cbbacde33ed
  • alt-ruby26-rubygem-bigdecimal_1.4.1-16_arm64.deb
    sha:0d3ba28181f726bd3230302d4e58f840f315da35
  • alt-ruby26-rubygem-did-you-mean_2.6.10-16_arm64.deb
    sha:bde024feb48e104286e0e88005e0c111fafa5f4f
  • alt-ruby26-rubygem-io-console_0.4.7-16_arm64.deb
    sha:541e775f12a24d89c43c4964597f17abfe0dbe1c
  • alt-ruby26-rubygem-json_2.1.0-16_arm64.deb
    sha:23f9564098f7a59145afac2ccb647e898af7b7df
  • alt-ruby26-rubygem-minitest_5.11.3-16_arm64.deb
    sha:0ec4a9861acd984bd99eb49f74cadb4dc3607a8b
  • alt-ruby26-rubygem-net-telnet_0.2.0-16_arm64.deb
    sha:b101817d2c80689ec0cb3c8fa7daa54ad818990a
  • alt-ruby26-rubygem-openssl_2.6.10-16_arm64.deb
    sha:208abc7df58e39d3660db575986f55a5d76dfef9
  • alt-ruby26-rubygem-power-assert_1.1.3-16_arm64.deb
    sha:c05d0807e223fc764f83c020eddbb9e617a5cbf8
  • alt-ruby26-rubygem-psych_3.1.0-16_arm64.deb
    sha:acbfe8f014cd604f4bde51ce340740c82ad84e7f
  • alt-ruby26-rubygem-rake_12.3.3-16_arm64.deb
    sha:9ff47809dc9246896a847911c3e27f5d30246d73
  • alt-ruby26-rubygem-rdoc_6.1.2.1-16_arm64.deb
    sha:87884237017372023a41980df60c9d055880710c
  • alt-ruby26-rubygem-test-unit_3.2.9-16_arm64.deb
    sha:8a0947601734f9daa39d7a600db6aba5198f3c8e
  • alt-ruby26-rubygem-typeprof_2.6.10-16_arm64.deb
    sha:1e76fc25d9272d4de64741a959bbe1e4d9a24b23
  • alt-ruby26-rubygem-xmlrpc_0.3.0-16_arm64.deb
    sha:69379f34f6167edc90d1d1c7429e555370235ed5
  • alt-ruby26-rubygems_3.0.3.1-16_arm64.deb
    sha:421ba0c96b87cc126e1760c8bdb53b45bf4b3a5e
  • alt-ruby26-rubygems-devel_3.0.3.1-16_arm64.deb
    sha:235d78e03b5232987e975fa67c6dd4738a2338cf
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.