[CLSA-2026:1780922123] Fix CVE(s): CVE-2024-35176, CVE-2024-39908
Type:
security
Severity:
Moderate
Release date:
2026-06-08 12:37:25 UTC
Description:
* SECURITY UPDATE: REXML DoS via attribute value with many '>' characters - debian/patches/CVE-2024-35176.patch: replace the per-'>'-chunk re-read loop in parse_attributes with a single-pass read of the attribute value up to the closing quote followed by a read up to the actual tag end, so that an attribute value containing N repeated '>' characters parses in O(N) time instead of O(N**2). Also fix the latent EOF handling in IOSource#match introduced with CVE-2024-41123 so the partially-filled buffer is matched against the pattern one last time before the source is declared exhausted, which is now exercised by the new value-rest read. - CVE-2024-35176 * SECURITY UPDATE: REXML ReDoS via repeated spaces in ATTLIST - debian/patches/CVE-2024-39908.patch: strip the matched ATTLIST contents before applying ATTDEF_RE so that trailing whitespace after a valid attdef does not trigger catastrophic backtracking in the per-attdef scan. Adapted byte-identically from upstream ruby/rexml@1f1e6e9; the other eight commits referenced by this CVE address O(N**2) source.match interactions that are already mitigated here by the min_bytes-doubling introduced in the CVE-2024-41123 backport (verified by microbench against all eight upstream test vectors at N=200000). - CVE-2024-39908
CVEs fixed:
Updated packages:
  • alt-ruby27_2.7.8-4_amd64.deb
    sha:60bd841bb60bcf029cef8f0a9a15fa2beaa9946b
  • alt-ruby27-default-gems_2.7.8-4_amd64.deb
    sha:4763d21ba0173238e1e3023eab4269a9b3ebbc88
  • alt-ruby27-devel_2.7.8-4_amd64.deb
    sha:ebde0824eeea58686b2c3e06936581f4d8cd15e5
  • alt-ruby27-doc_2.7.8-4_amd64.deb
    sha:ce3245e06b5f63a654e23c235080a52deb52af89
  • alt-ruby27-libs_2.7.8-4_amd64.deb
    sha:2817eadd01496ae917b1065d44526b352c8b116e
  • alt-ruby27-rubygem-bigdecimal_2.0.0-4_amd64.deb
    sha:b733fd2392e21c7efaa512e28c50a023880e355d
  • alt-ruby27-rubygem-bundler_2.2.24-4_amd64.deb
    sha:6d5f3c0c1b59a02a5fcc4b5415f37f49e79d888d
  • alt-ruby27-rubygem-io-console_0.5.6-4_amd64.deb
    sha:06560d93ad9caef6962518afc792b08c66d84c20
  • alt-ruby27-rubygem-irb_1.2.6-4_amd64.deb
    sha:7ab3eedd564b1778fbbd014581d56c5681267eae
  • alt-ruby27-rubygem-json_2.3.0-4_amd64.deb
    sha:73bfcea84b1268bffba34b749b64ce0072237444
  • alt-ruby27-rubygem-minitest_5.13.0-4_amd64.deb
    sha:c5cee3c9a7e98f366cebccef03af609c911118e0
  • alt-ruby27-rubygem-net-telnet_0.2.0-4_amd64.deb
    sha:d8503c0fd9a214f3fd7042b2f7fb79efa7ed634c
  • alt-ruby27-rubygem-power-assert_1.1.7-4_amd64.deb
    sha:6fcd0c386304521b5f6575e7da37e72cb67642d8
  • alt-ruby27-rubygem-psych_3.1.0-4_amd64.deb
    sha:c6f7eeb908f5308c87ebdc0b1745bdcaa62bf2c7
  • alt-ruby27-rubygem-rake_13.0.1-4_amd64.deb
    sha:d4102206acbee152abd43f190784d6a6b7c26b12
  • alt-ruby27-rubygem-rdoc_6.2.1.1-4_amd64.deb
    sha:b0dae7db4fca4fb8a2929a5129c797299e9d95cc
  • alt-ruby27-rubygem-test-unit_3.3.4-4_amd64.deb
    sha:66c3d922a4f09556bb1800af5e14e9fda486d2f4
  • alt-ruby27-rubygem-typeprof_2.7.8-4_amd64.deb
    sha:9cdf6e3d0ec0c33bf5271322e1232526ac65befe
  • alt-ruby27-rubygem-xmlrpc_0.3.0-4_amd64.deb
    sha:f1379b755c0d8f901acb5d73ba4087d285905f8e
  • alt-ruby27-rubygems_3.1.6-4_amd64.deb
    sha:12df18e71f837fc445697fbf59470370601e9960
  • alt-ruby27-rubygems-devel_3.1.6-4_amd64.deb
    sha:34e4792d0d5641c7ddf60085f1c567ff898f6cac
  • alt-ruby27_2.7.8-4_arm64.deb
    sha:181b4ced2e9e279f9a5cd2ce9505dbe92b355100
  • alt-ruby27-default-gems_2.7.8-4_arm64.deb
    sha:fc60f885373243574ed2915595427a9bb24b1990
  • alt-ruby27-devel_2.7.8-4_arm64.deb
    sha:7de0da03aae2a7e9aa93f3c97c5ec8aea88eb20e
  • alt-ruby27-doc_2.7.8-4_arm64.deb
    sha:06219390b8dfbc148fddf5eb34938c22bef4dba2
  • alt-ruby27-libs_2.7.8-4_arm64.deb
    sha:46e1fa9a9dae02cf3e880dd7c4d07c6c4a4ead7a
  • alt-ruby27-rubygem-bigdecimal_2.0.0-4_arm64.deb
    sha:b639a3f64cb7a5db0d14158c1527cc64becf0a60
  • alt-ruby27-rubygem-bundler_2.2.24-4_arm64.deb
    sha:916a83aa608bd53accc2d04f8cb051eaf79b749c
  • alt-ruby27-rubygem-io-console_0.5.6-4_arm64.deb
    sha:0fbbaa844cec3d521c6ad2aa545f9d33b572e908
  • alt-ruby27-rubygem-irb_1.2.6-4_arm64.deb
    sha:ca23794500cf7b10a5ab2707e9ee2944e8fb847c
  • alt-ruby27-rubygem-json_2.3.0-4_arm64.deb
    sha:47ce59496de62153dcf6f2c4333a2f45d78ec71d
  • alt-ruby27-rubygem-minitest_5.13.0-4_arm64.deb
    sha:1cf7dc8e70a446622a6ccc61982c595e867e05ad
  • alt-ruby27-rubygem-net-telnet_0.2.0-4_arm64.deb
    sha:596897c24a47b760ad252aa4edc32c10740eb6a7
  • alt-ruby27-rubygem-power-assert_1.1.7-4_arm64.deb
    sha:5bbe4c00614f109c3d9f40fd3da6fedf946daf4e
  • alt-ruby27-rubygem-psych_3.1.0-4_arm64.deb
    sha:aaa352ed0cc90209dd2da68acdc781d00c4815ca
  • alt-ruby27-rubygem-rake_13.0.1-4_arm64.deb
    sha:67861d86011724e1b4a2cff9e18aab18dd615a1d
  • alt-ruby27-rubygem-rdoc_6.2.1.1-4_arm64.deb
    sha:643da17525c7e775687c4edcdc59dc23029c7d44
  • alt-ruby27-rubygem-test-unit_3.3.4-4_arm64.deb
    sha:785952bb1b3ca29a34deb6328bc18f16d48c7b51
  • alt-ruby27-rubygem-typeprof_2.7.8-4_arm64.deb
    sha:9ebb8e6d84aa33af90721e21e951ed79a4abdf77
  • alt-ruby27-rubygem-xmlrpc_0.3.0-4_arm64.deb
    sha:df0e480f5a394a2f2251ae15335dfc69954ff3f7
  • alt-ruby27-rubygems_3.1.6-4_arm64.deb
    sha:567b13cf7459329c1496673288f21036cd0b8b30
  • alt-ruby27-rubygems-devel_3.1.6-4_arm64.deb
    sha:25614b4f61bdf1029dbe541cc2db733b145362a2
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.