Release date:
2026-05-07 14:19:06 UTC
Description:
* SECURITY UPDATE: REXML ReDoS via leading-zero hex character reference
- debian/patches/CVE-2024-49761.patch: replace the
/�*((?:\d+)|(?:x[a-fA-F0-9]+));/ regex in unnormalize() with
/&#((?:\d+)|(?:x[a-fA-F0-9]+));/ so that �x...; is no longer
accepted as a hex character reference, eliminating the
catastrophic-backtracking ReDoS on inputs with many leading
zeros.
- CVE-2024-49761
* SECURITY UPDATE: REXML DoS via deep same-local-name attributes
- debian/patches/CVE-2024-43398.patch: replace the per-attribute
tree-walk in Element#[]= with an O(1) parse-time conflict check
using a parser-level @namespaces hash and an expanded_names
hash keyed on [uri, local_part]; seed @namespaces with the
implicitly-bound xml prefix per upstream 78f8712 to avoid
breaking XHTML documents that use both xml:lang and lang.
- CVE-2024-43398
* SECURITY UPDATE: REXML DoS via entity expansion in SAX/pull parsers
- debian/patches/CVE-2024-41946.patch: route the SAX2Parser :text
handler through @parser.unnormalize (upstream prerequisite
4ebf21f), and add @entity_expansion_count + per-call
sum/Security.entity_expansion_text_limit accounting in
BaseParser so that billion-laughs-style XML triggers
"entity expansion has grown too large" / "number of entity
expansions exceeded" in SAX and pull mode, matching the
existing DOM behaviour.
- CVE-2024-41946
* SECURITY UPDATE: REXML DoS via slow processing-instruction parsing
- debian/patches/CVE-2024-41123.patch: rewrite process_instruction
to call parse_name and then match the content separately,
avoiding the catastrophic-backtracking INSTRUCTION_PATTERN
regex; grow the IOSource read buffer exponentially via
min_bytes so that source.match() is O(log n) attempts rather
than O(n) on inputs that never match the regex.
- CVE-2024-41123
Updated packages:
-
alt-ruby30_3.0.7-171_amd64.deb
sha:dd372792e14e9d087703b2a86abaaa9b7ab9e7f6
-
alt-ruby30-default-gems_3.0.7-171_amd64.deb
sha:05b98fe73d50d4ab8f4e959f4ed8b7f7e14db96c
-
alt-ruby30-devel_3.0.7-171_amd64.deb
sha:493024329d1ec6f5d000e8433403285edacde550
-
alt-ruby30-doc_3.0.7-171_amd64.deb
sha:8c97d776dee8e0b41bdf725eeafd04f146c9ef64
-
alt-ruby30-libs_3.0.7-171_amd64.deb
sha:362ba55d19f8878406c0086cf1e299060a01a345
-
alt-ruby30-rubygem-bigdecimal_3.0.0-171_amd64.deb
sha:4be0edea28e4759897fdfb0fb0664cc720dfff2e
-
alt-ruby30-rubygem-bundler_2.2.33-171_amd64.deb
sha:e8aad0461cd3e7083fdf5b34a296ba7f2644c139
-
alt-ruby30-rubygem-io-console_0.5.7-171_amd64.deb
sha:823d92ec88cd16af203c92651cd2e5f9a511eab4
-
alt-ruby30-rubygem-irb_1.3.5-171_amd64.deb
sha:f296889301a77163a936ed4a8e74c785331839f2
-
alt-ruby30-rubygem-json_2.5.1-171_amd64.deb
sha:0b9ec3129b0193540f99a9c27fe1f6d243d4b968
-
alt-ruby30-rubygem-minitest_5.14.2-171_amd64.deb
sha:3b77e26aea1b259e746efbb5a8b4a3019cb00d90
-
alt-ruby30-rubygem-power-assert_1.2.1-171_amd64.deb
sha:c95e66aecec6e5148473e5c809b6db68f4926497
-
alt-ruby30-rubygem-psych_3.3.2-171_amd64.deb
sha:4f3e8ec71cdad199b032b7e7d91f9adeecbb781d
-
alt-ruby30-rubygem-rake_13.0.3-171_amd64.deb
sha:8c759c832613554c79196f84163523cd0131eca6
-
alt-ruby30-rubygem-rbs_1.4.0-171_amd64.deb
sha:2e8a6a32ba3fb8ac6e662a81cc889c3e385e6f38
-
alt-ruby30-rubygem-rdoc_6.3.4.1-171_amd64.deb
sha:973f6e5895c72cbc7c1e48dd94e37e1f149998b5
-
alt-ruby30-rubygem-rexml_3.2.5-171_amd64.deb
sha:c9ea22cf3be8a5a321e55a02c5077b7ee0ee9590
-
alt-ruby30-rubygem-rss_0.2.9-171_amd64.deb
sha:1818690f40f4c9f439d13ce52a3c2c5111bbf024
-
alt-ruby30-rubygem-test-unit_3.3.7-171_amd64.deb
sha:d3f0cf0310d7911d9e70b5fc8d35f232cdf63b96
-
alt-ruby30-rubygem-typeprof_0.15.2-171_amd64.deb
sha:b262b34b0db22f52cdc02dab3f0655cfdf6b5775
-
alt-ruby30-rubygems_3.2.33-171_amd64.deb
sha:2c58d42064b7c5093b6d0ff1c4888b4b956800bd
-
alt-ruby30-rubygems-devel_3.2.33-171_amd64.deb
sha:9c32fb9bbb53a57bfbf595ef2c552015910e6178
-
alt-ruby30_3.0.7-171_arm64.deb
sha:a39d244d1045f47a8a72883edae14a3796c68bee
-
alt-ruby30-default-gems_3.0.7-171_arm64.deb
sha:e5473173ab8f2819667807dd83c4db8bc4a00639
-
alt-ruby30-devel_3.0.7-171_arm64.deb
sha:00878cd728e0b0ff788ce50eb92795e9d39c2676
-
alt-ruby30-doc_3.0.7-171_arm64.deb
sha:1d0c8ba434bdf5b7e470dcf4c936da131231c5dd
-
alt-ruby30-libs_3.0.7-171_arm64.deb
sha:e2813faaa79a163ddef5d3ca7a46425fa0d67932
-
alt-ruby30-rubygem-bigdecimal_3.0.0-171_arm64.deb
sha:09ab4bf33b62c95028739aedd0887e907c78db1c
-
alt-ruby30-rubygem-bundler_2.2.33-171_arm64.deb
sha:9848ec941225468b21c631faac2594bca9a8ca6e
-
alt-ruby30-rubygem-io-console_0.5.7-171_arm64.deb
sha:131915454ef30b1aebe52026ff4fff250617bc40
-
alt-ruby30-rubygem-irb_1.3.5-171_arm64.deb
sha:e91d5fa4b8ba42e89e6adcadb92b74d2a30c1bf6
-
alt-ruby30-rubygem-json_2.5.1-171_arm64.deb
sha:2a07ceac7f062e677985ee01b2dca8da4faa474a
-
alt-ruby30-rubygem-minitest_5.14.2-171_arm64.deb
sha:ab4e879c1bc95b45837f424aa3e5fb33fd5a2be0
-
alt-ruby30-rubygem-power-assert_1.2.1-171_arm64.deb
sha:aa4fe3d093c73a7f9902fdc4ea37b68735dc14d8
-
alt-ruby30-rubygem-psych_3.3.2-171_arm64.deb
sha:270f3e3c8c64991ca6938769fee08b5b6314a9e1
-
alt-ruby30-rubygem-rake_13.0.3-171_arm64.deb
sha:f62f5c8df40ec1e5ff5cc0d8cd91a5ba87e2abf0
-
alt-ruby30-rubygem-rbs_1.4.0-171_arm64.deb
sha:8257b263a6a6ae0ba11b72a9248c88de3078bd9c
-
alt-ruby30-rubygem-rdoc_6.3.4.1-171_arm64.deb
sha:cf16e6c30cf3fc06bff5f1a712b81b19934fe517
-
alt-ruby30-rubygem-rexml_3.2.5-171_arm64.deb
sha:5f0a0663958127328b7e5cce1871c25ebd3bd86f
-
alt-ruby30-rubygem-rss_0.2.9-171_arm64.deb
sha:dfd96556b64ebd2a6f8a94e11978bd3a027d36cb
-
alt-ruby30-rubygem-test-unit_3.3.7-171_arm64.deb
sha:b88528ab787a9417a17cfba39aa88f2f95dd7c4b
-
alt-ruby30-rubygem-typeprof_0.15.2-171_arm64.deb
sha:563b9c33c46de89653a80f04ead7aa1f492dfc7a
-
alt-ruby30-rubygems_3.2.33-171_arm64.deb
sha:6afb689decdf7679e3274eda8ab46db8e80bbbca
-
alt-ruby30-rubygems-devel_3.2.33-171_arm64.deb
sha:9fca40ef29a17195efaed75f4db6c2b6474b94f5
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
