Release date:
2026-05-07 17:12:47 UTC
Description:
* SECURITY UPDATE: REXML ReDoS via leading-zero hex character reference
- debian/patches/CVE-2024-49761.patch: replace the
/�*((?:\d+)|(?:x[a-fA-F0-9]+));/ regex in unnormalize() with
/&#((?:\d+)|(?:x[a-fA-F0-9]+));/ so that �x...; is no longer
accepted as a hex character reference, eliminating the
catastrophic-backtracking ReDoS on inputs with many leading
zeros.
- CVE-2024-49761
* SECURITY UPDATE: REXML DoS via deep same-local-name attributes
- debian/patches/CVE-2024-43398.patch: replace the per-attribute
tree-walk in Element#[]= with an O(1) parse-time conflict check
using a parser-level @namespaces hash and an expanded_names
hash keyed on [uri, local_part]; seed @namespaces with the
implicitly-bound xml prefix per upstream 78f8712 to avoid
breaking XHTML documents that use both xml:lang and lang.
- CVE-2024-43398
* SECURITY UPDATE: REXML DoS via entity expansion in SAX/pull parsers
- debian/patches/CVE-2024-41946.patch: route the SAX2Parser :text
handler through @parser.unnormalize (upstream prerequisite
4ebf21f), and add @entity_expansion_count + per-call
sum/Security.entity_expansion_text_limit accounting in
BaseParser so that billion-laughs-style XML triggers
"entity expansion has grown too large" / "number of entity
expansions exceeded" in SAX and pull mode, matching the
existing DOM behaviour.
- CVE-2024-41946
* SECURITY UPDATE: REXML DoS via slow processing-instruction parsing
- debian/patches/CVE-2024-41123.patch: rewrite process_instruction
to call parse_name and then match the content separately,
avoiding the catastrophic-backtracking INSTRUCTION_PATTERN
regex; grow the IOSource read buffer exponentially via
min_bytes so that source.match() is O(log n) attempts rather
than O(n) on inputs that never match the regex.
- CVE-2024-41123
Updated packages:
-
alt-ruby30_3.0.7-171_amd64.deb
sha:42674c6f33f71eea40f6e5f5454c030dda031fc8
-
alt-ruby30-default-gems_3.0.7-171_amd64.deb
sha:2ac93a03f5e21262024d1b8cd843655b88723f2f
-
alt-ruby30-devel_3.0.7-171_amd64.deb
sha:5d928604189275325fb28983619296be70edf9d7
-
alt-ruby30-doc_3.0.7-171_amd64.deb
sha:1bedd629bb5fcfac0927d16bdbcc5ba7405e88d6
-
alt-ruby30-libs_3.0.7-171_amd64.deb
sha:bde660513f3242dc4dcf3700652abc36307ad27e
-
alt-ruby30-rubygem-bigdecimal_3.0.0-171_amd64.deb
sha:a016051b9e3c0649db383751c5ad824d9c1dded9
-
alt-ruby30-rubygem-bundler_2.2.33-171_amd64.deb
sha:cf9e5fcfdf6005288b95a65a36c49f5fb210e00e
-
alt-ruby30-rubygem-io-console_0.5.7-171_amd64.deb
sha:957eec8923d9f094e3aea55f7fb0d7f10ead12e3
-
alt-ruby30-rubygem-irb_1.3.5-171_amd64.deb
sha:1c7b45d6dbb200531d03fbb4fd8f28dc8784a695
-
alt-ruby30-rubygem-json_2.5.1-171_amd64.deb
sha:2227fa4854ca7cf6f8d125522756b231d78617d0
-
alt-ruby30-rubygem-minitest_5.14.2-171_amd64.deb
sha:8c46348cba38bbb190098256a360b57f860a8c60
-
alt-ruby30-rubygem-power-assert_1.2.1-171_amd64.deb
sha:09827a79650460e8064dd54497545b1046d4a54f
-
alt-ruby30-rubygem-psych_3.3.2-171_amd64.deb
sha:0e5772e31e3ff002d053985e309ebabbc09ac282
-
alt-ruby30-rubygem-rake_13.0.3-171_amd64.deb
sha:d289cd467a0e07db8bfc6fc210af8c0455212d10
-
alt-ruby30-rubygem-rbs_1.4.0-171_amd64.deb
sha:1c89f0dbf3d53b4ab4fc0be3cc6f99093bcd3f93
-
alt-ruby30-rubygem-rdoc_6.3.4.1-171_amd64.deb
sha:2c522e0ceff4c018fd7a8e446c2e2b0c0ff68ff4
-
alt-ruby30-rubygem-rexml_3.2.5-171_amd64.deb
sha:6e51dfb1164df825e507706b56adfde45ad3aca0
-
alt-ruby30-rubygem-rss_0.2.9-171_amd64.deb
sha:08cc8b7055ceea559a36491a18258bc35ef0190e
-
alt-ruby30-rubygem-test-unit_3.3.7-171_amd64.deb
sha:9df3c498b79404d80e4343c96351fbb8afcc0847
-
alt-ruby30-rubygem-typeprof_0.15.2-171_amd64.deb
sha:b3f9cefe6e9eae7f886d7655b75feb9247e97ea3
-
alt-ruby30-rubygems_3.2.33-171_amd64.deb
sha:a73886b2ace01dfeb864ca8556687c35c870bd2f
-
alt-ruby30-rubygems-devel_3.2.33-171_amd64.deb
sha:643cf636f42b02d05b7538d0b8ed22bb606d2b04
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
