Release date:
2026-05-07 15:00:11 UTC
Description:
* SECURITY UPDATE: REXML ReDoS via leading-zero hex character reference
- debian/patches/CVE-2024-49761.patch: replace the
/�*((?:\d+)|(?:x[a-fA-F0-9]+));/ regex in unnormalize() with
/&#((?:\d+)|(?:x[a-fA-F0-9]+));/ so that �x...; is no longer
accepted as a hex character reference, eliminating the
catastrophic-backtracking ReDoS on inputs with many leading
zeros.
- CVE-2024-49761
* SECURITY UPDATE: REXML DoS via deep same-local-name attributes
- debian/patches/CVE-2024-43398.patch: replace the per-attribute
tree-walk in Element#[]= with an O(1) parse-time conflict check
using a parser-level @namespaces hash and an expanded_names
hash keyed on [uri, local_part]; seed @namespaces with the
implicitly-bound xml prefix per upstream 78f8712 to avoid
breaking XHTML documents that use both xml:lang and lang.
- CVE-2024-43398
* SECURITY UPDATE: REXML DoS via entity expansion in SAX/pull parsers
- debian/patches/CVE-2024-41946.patch: route the SAX2Parser :text
handler through @parser.unnormalize (upstream prerequisite
4ebf21f), and add @entity_expansion_count + per-call
sum/Security.entity_expansion_text_limit accounting in
BaseParser so that billion-laughs-style XML triggers
"entity expansion has grown too large" / "number of entity
expansions exceeded" in SAX and pull mode, matching the
existing DOM behaviour.
- CVE-2024-41946
* SECURITY UPDATE: REXML DoS via slow processing-instruction parsing
- debian/patches/CVE-2024-41123.patch: rewrite process_instruction
to call parse_name and then match the content separately,
avoiding the catastrophic-backtracking INSTRUCTION_PATTERN
regex; grow the IOSource read buffer exponentially via
min_bytes so that source.match() is O(log n) attempts rather
than O(n) on inputs that never match the regex.
- CVE-2024-41123
Updated packages:
-
alt-ruby30_3.0.7-171_amd64.deb
sha:98931347c4354e77ac9746eecde23727866c640a
-
alt-ruby30-default-gems_3.0.7-171_amd64.deb
sha:c5e2dd57a28fb9772a6fb39891818954d9bdb4aa
-
alt-ruby30-devel_3.0.7-171_amd64.deb
sha:0226e3aa50de8b7adf21ce92aa61ea862673b6e6
-
alt-ruby30-doc_3.0.7-171_amd64.deb
sha:b6154d185969b9150b5169e243588c9d1bdbde06
-
alt-ruby30-libs_3.0.7-171_amd64.deb
sha:6efd1915f95555c311c3ffdbbe86aa323f9c2c7a
-
alt-ruby30-rubygem-bigdecimal_3.0.0-171_amd64.deb
sha:17bce0f1991a5466a4a39190000e33ab4fda4305
-
alt-ruby30-rubygem-bundler_2.2.33-171_amd64.deb
sha:a233334436b9d67ed08522616e4951808f0fb5b9
-
alt-ruby30-rubygem-io-console_0.5.7-171_amd64.deb
sha:3ccc751065f1cc786bf910cf0abaa0c71806c2ca
-
alt-ruby30-rubygem-irb_1.3.5-171_amd64.deb
sha:be8e40a10bfea8b8b244dfc0f00fc9a4bea480e0
-
alt-ruby30-rubygem-json_2.5.1-171_amd64.deb
sha:3cb94e17db776f7f1609a3f37cbd8924390f1daf
-
alt-ruby30-rubygem-minitest_5.14.2-171_amd64.deb
sha:c5515ab9fd8d5a45ace25f9d5e7a2a5a6559e618
-
alt-ruby30-rubygem-power-assert_1.2.1-171_amd64.deb
sha:96fd304b93ea70380284ae9d7b9568e4f6a53701
-
alt-ruby30-rubygem-psych_3.3.2-171_amd64.deb
sha:0297e5875dedd980299c9a91164d37750e07b7a7
-
alt-ruby30-rubygem-rake_13.0.3-171_amd64.deb
sha:b5b6851385a32e2ec307086951fc839eaef68e39
-
alt-ruby30-rubygem-rbs_1.4.0-171_amd64.deb
sha:72ddf46dc018ed054100622960f20849a9b00612
-
alt-ruby30-rubygem-rdoc_6.3.4.1-171_amd64.deb
sha:41f856841847fc0e23c74b315163cee31a0de355
-
alt-ruby30-rubygem-rexml_3.2.5-171_amd64.deb
sha:cc1a76540785183fe4c514906b28cf6120c15bb4
-
alt-ruby30-rubygem-rss_0.2.9-171_amd64.deb
sha:6de7def73f1feba48752d21f5e9f9f31cafd40b3
-
alt-ruby30-rubygem-test-unit_3.3.7-171_amd64.deb
sha:0637110a58d4d2618ff8307d874aa4cb1c3a81d7
-
alt-ruby30-rubygem-typeprof_0.15.2-171_amd64.deb
sha:9efdb6cac416154fd67ec4c9f2d5e2be19b66302
-
alt-ruby30-rubygems_3.2.33-171_amd64.deb
sha:ee49e818e7186382b1a615764b6ad1758a7efd1d
-
alt-ruby30-rubygems-devel_3.2.33-171_amd64.deb
sha:cca76398bc2d6d30ec65c008ea351344b77b39ce
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
