Release date:
2026-06-08 12:04:01 UTC
Description:
* SECURITY UPDATE: REXML DoS via attribute value with many '>' characters
- debian/patches/CVE-2024-35176.patch: replace the per-'>'-chunk
re-read loop in parse_attributes with a single-pass read of the
attribute value up to the closing quote followed by a read up to
the actual tag end, so that an attribute value containing N
repeated '>' characters parses in O(N) time instead of O(N**2).
Also fix the latent EOF handling in IOSource#match introduced
with CVE-2024-41123 so the partially-filled buffer is matched
against the pattern one last time before the source is declared
exhausted, which is now exercised by the new value-rest read.
- CVE-2024-35176
* SECURITY UPDATE: REXML ReDoS via repeated spaces in ATTLIST
- debian/patches/CVE-2024-39908.patch: strip the matched ATTLIST
contents before applying ATTDEF_RE so that trailing whitespace
after a valid attdef does not trigger catastrophic backtracking
in the per-attdef scan. Adapted byte-identically from upstream
ruby/rexml@1f1e6e9; the other eight commits referenced by this
CVE address O(N**2) source.match interactions that are already
mitigated here by the min_bytes-doubling introduced in the
CVE-2024-41123 backport (verified by microbench against all
eight upstream test vectors at N=200000).
- CVE-2024-39908
Updated packages:
-
alt-ruby27_2.7.8-4_amd64.deb
sha:6bd6acf6125f7db51a3d0d93e7ae4c17a9d7d159
-
alt-ruby27-default-gems_2.7.8-4_amd64.deb
sha:46ba347910c62c3adc4ae4423db94ca1f86a2fad
-
alt-ruby27-devel_2.7.8-4_amd64.deb
sha:9c4902b304bc3ec15c13e3dac041492369a1b1ed
-
alt-ruby27-doc_2.7.8-4_amd64.deb
sha:2d6cc5d5577829596790812733c1240021da9bd2
-
alt-ruby27-libs_2.7.8-4_amd64.deb
sha:25cf9c4c4ea8beb75ddd73c32fcf7461c64d2da6
-
alt-ruby27-rubygem-bigdecimal_2.0.0-4_amd64.deb
sha:a5a6139495707a53ac952ddba4133b34c1fa4a9c
-
alt-ruby27-rubygem-bundler_2.2.24-4_amd64.deb
sha:6d5f3c0c1b59a02a5fcc4b5415f37f49e79d888d
-
alt-ruby27-rubygem-io-console_0.5.6-4_amd64.deb
sha:a90e5cdf4f121454705d5c091d3c6558385c9ee8
-
alt-ruby27-rubygem-irb_1.2.6-4_amd64.deb
sha:7ab3eedd564b1778fbbd014581d56c5681267eae
-
alt-ruby27-rubygem-json_2.3.0-4_amd64.deb
sha:52d174b3a4d8002a3b4ba56628664f8fa07dfc11
-
alt-ruby27-rubygem-minitest_5.13.0-4_amd64.deb
sha:c5cee3c9a7e98f366cebccef03af609c911118e0
-
alt-ruby27-rubygem-net-telnet_0.2.0-4_amd64.deb
sha:d8503c0fd9a214f3fd7042b2f7fb79efa7ed634c
-
alt-ruby27-rubygem-power-assert_1.1.7-4_amd64.deb
sha:6fcd0c386304521b5f6575e7da37e72cb67642d8
-
alt-ruby27-rubygem-psych_3.1.0-4_amd64.deb
sha:306a9f008acf926392b0514b5655065ab07ec88a
-
alt-ruby27-rubygem-rake_13.0.1-4_amd64.deb
sha:d4102206acbee152abd43f190784d6a6b7c26b12
-
alt-ruby27-rubygem-rdoc_6.2.1.1-4_amd64.deb
sha:b0dae7db4fca4fb8a2929a5129c797299e9d95cc
-
alt-ruby27-rubygem-test-unit_3.3.4-4_amd64.deb
sha:66c3d922a4f09556bb1800af5e14e9fda486d2f4
-
alt-ruby27-rubygem-typeprof_2.7.8-4_amd64.deb
sha:9cdf6e3d0ec0c33bf5271322e1232526ac65befe
-
alt-ruby27-rubygem-xmlrpc_0.3.0-4_amd64.deb
sha:f1379b755c0d8f901acb5d73ba4087d285905f8e
-
alt-ruby27-rubygems_3.1.6-4_amd64.deb
sha:12df18e71f837fc445697fbf59470370601e9960
-
alt-ruby27-rubygems-devel_3.1.6-4_amd64.deb
sha:34e4792d0d5641c7ddf60085f1c567ff898f6cac
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
