[CLSA-2026:1780923272] Fix CVE(s): CVE-2024-35176, CVE-2024-39908

Type:

security

Severity:

Moderate

Release date:

2026-06-08 18:04:24 UTC

Description:

   * SECURITY UPDATE: REXML DoS via many '<' or '>' characters in an attribute value
     - debian/patches/CVE-2024-35176.patch: in parse_attributes, when the
       outer @source.match stops at a '>' inside a quoted attribute value,
       read forward to the actual closing quote in a single chunk instead
       of looping one '>' at a time, so the per-attribute outer loop is
       O(1) iterations rather than O(n). Also extend IOSource#match to
       always re-try the regex after read() returns false at EOF so the
       final partially-filled buffer is still matched.
     - CVE-2024-35176
   * SECURITY UPDATE: REXML ReDoS via repeated zeros in a character reference
     - debian/patches/CVE-2024-39908.patch: rewrite REXML::Text.check to
       iterate over '<' and '&' sentinels with String#index and validate
       each entity / character reference explicitly, instead of
       string.scan() with the NEEDS_A_SECOND_CHECK regex whose '�*'
       branch caused O(n^2) backtracking on inputs with many leading
       zeros. The remaining CVE-2024-39908 subvariants (repeated '>'
       inside 
                

CVEs fixed:

Updated packages:

alt-ruby30_3.0.7-172_amd64.deb
sha:ac6300bd6b4834b27aefabb72e30816a038031f0
alt-ruby30-default-gems_3.0.7-172_amd64.deb
sha:3c63c826dc45251bb3c1150192e1670103d20cf5
alt-ruby30-devel_3.0.7-172_amd64.deb
sha:b73ec555e7d76fac7ff3742a87b4fe47fa81bbc0
alt-ruby30-doc_3.0.7-172_amd64.deb
sha:3c0192d4dd1f4a83baa7a750287266eac218d067
alt-ruby30-libs_3.0.7-172_amd64.deb
sha:d1759a6aebd6123d4677f9b69c2b96aefb1d2df5
alt-ruby30-rubygem-bigdecimal_3.0.0-172_amd64.deb
sha:74595302186d80efa0d14381782fd6a9998f8279
alt-ruby30-rubygem-bundler_2.2.33-172_amd64.deb
sha:4909f7981b5e37417bfb80ebcde5b3bd0ca8213f
alt-ruby30-rubygem-io-console_0.5.7-172_amd64.deb
sha:9432d49e77750fcab6468818811c04b96ae56da9
alt-ruby30-rubygem-irb_1.3.5-172_amd64.deb
sha:3cddb8ae3af45494f89a308a4e90a2fa4241e376
alt-ruby30-rubygem-json_2.5.1-172_amd64.deb
sha:c0dcd7413037daad5fcdef5cd75889e008c2d136
alt-ruby30-rubygem-minitest_5.14.2-172_amd64.deb
sha:3b128e6bcdc205e47a6c2a9f632242bc2c6d63bf
alt-ruby30-rubygem-power-assert_1.2.1-172_amd64.deb
sha:315c22f1a12421c003e5d8048624c7a218b37c73
alt-ruby30-rubygem-psych_3.3.2-172_amd64.deb
sha:32ea158f3bb02b9c0c7f98a3f018b00c2b8ab9d4
alt-ruby30-rubygem-rake_13.0.3-172_amd64.deb
sha:b9546ab6f3c6cf81681c0cd895fb5406d7830c95
alt-ruby30-rubygem-rbs_1.4.0-172_amd64.deb
sha:b8a30083fea4d408851f0ab7727201ae0d026367
alt-ruby30-rubygem-rdoc_6.3.4.1-172_amd64.deb
sha:2d1dde483ed45c098da543080d7cd1d28f10cdae
alt-ruby30-rubygem-rexml_3.2.5-172_amd64.deb
sha:44eb06c601ae197676bbfa518f5db35801440671
alt-ruby30-rubygem-rss_0.2.9-172_amd64.deb
sha:6e82f8fb241fe578d15e8f117f01ef06fc7c8e25
alt-ruby30-rubygem-test-unit_3.3.7-172_amd64.deb
sha:1034852a00d1510367aa8e6137d6e4a15e9702c2
alt-ruby30-rubygem-typeprof_0.15.2-172_amd64.deb
sha:6fb4ee68d270dac8b9ac6c82a7914a68b0640441
alt-ruby30-rubygems_3.2.33-172_amd64.deb
sha:c3a25b5addb391d1603675e50b6e2d33577908ac
alt-ruby30-rubygems-devel_3.2.33-172_amd64.deb
sha:4d015687df6567432d48ebc59853c3727d208a89
alt-ruby30_3.0.7-172_arm64.deb
sha:41c486f0a9538d9cb7b98d23d7d3b29a4f8b8fba
alt-ruby30-default-gems_3.0.7-172_arm64.deb
sha:edf774ce5c4c128dba1f80b53bdc372c3b359b29
alt-ruby30-devel_3.0.7-172_arm64.deb
sha:a7f1f7629d0e8e42244ed4398336fec80195d43d
alt-ruby30-doc_3.0.7-172_arm64.deb
sha:0487271b38bf70433d38abb8edcdc32027d8aa9f
alt-ruby30-libs_3.0.7-172_arm64.deb
sha:8fc91da95edf30a3f14d937bbfdf2297fff7dd4e
alt-ruby30-rubygem-bigdecimal_3.0.0-172_arm64.deb
sha:44a9485c4c0fe85dff3f7ad846d25005cce6da1b
alt-ruby30-rubygem-bundler_2.2.33-172_arm64.deb
sha:f0548004d994cd06d89a5b34dfc1957f5cbb831c
alt-ruby30-rubygem-io-console_0.5.7-172_arm64.deb
sha:66605f913ee0c05a162cf0b036f692587ff39d9b
alt-ruby30-rubygem-irb_1.3.5-172_arm64.deb
sha:1ab07de4fe2fd722d797a6d478af05e43e0ed0f3
alt-ruby30-rubygem-json_2.5.1-172_arm64.deb
sha:c1abcf73c8702f88ed1e2d76b706393f6d069d5b
alt-ruby30-rubygem-minitest_5.14.2-172_arm64.deb
sha:0c4409e04e8e9c885f07d375bcf88ee5b24ea0ec
alt-ruby30-rubygem-power-assert_1.2.1-172_arm64.deb
sha:791c0216ea43cfd376b4e9a03f3e15f44ed080f1
alt-ruby30-rubygem-psych_3.3.2-172_arm64.deb
sha:afc8f9f4db62c6d01b06961dc7dff39cb263e1ad
alt-ruby30-rubygem-rake_13.0.3-172_arm64.deb
sha:6a083d9d48c501d86b76d75775dab3727363e2aa
alt-ruby30-rubygem-rbs_1.4.0-172_arm64.deb
sha:09d3566f52f914cae35f048feedd6169838c42b2
alt-ruby30-rubygem-rdoc_6.3.4.1-172_arm64.deb
sha:bb2ddf49f1f5496451d725fc5ac44100531eccb9
alt-ruby30-rubygem-rexml_3.2.5-172_arm64.deb
sha:8c9c9327d2d3f224a9dda7822f36db90e9c7dc76
alt-ruby30-rubygem-rss_0.2.9-172_arm64.deb
sha:13c14afed62bb9bc315d40c8e9ff3540a711c350
alt-ruby30-rubygem-test-unit_3.3.7-172_arm64.deb
sha:47fde52fe0b48b43146d2ca6098ffb926629b040
alt-ruby30-rubygem-typeprof_0.15.2-172_arm64.deb
sha:206196df72a2a40d93981f23222dfe9f162c4128
alt-ruby30-rubygems_3.2.33-172_arm64.deb
sha:8bcba3daaad904f5d54fa3c09d860bd744ce8479
alt-ruby30-rubygems-devel_3.2.33-172_arm64.deb
sha:3ddf0e1156420c4bfaf4cf3f1f681f0985e82304

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.