Release date:
2026-06-08 11:31:43 UTC
Description:
* SECURITY UPDATE: REXML DoS via attribute value with many '>' characters
- debian/patches/CVE-2024-35176.patch: replace the per-'>'-chunk
re-read loop in parse_attributes with a single-pass read of the
attribute value up to the closing quote followed by a read up to
the actual tag end, so that an attribute value containing N
repeated '>' characters parses in O(N) time instead of O(N**2).
Also fix the latent EOF handling in IOSource#match introduced
with CVE-2024-41123 so the partially-filled buffer is matched
against the pattern one last time before the source is declared
exhausted, which is now exercised by the new value-rest read.
- CVE-2024-35176
* SECURITY UPDATE: REXML ReDoS via repeated spaces in ATTLIST
- debian/patches/CVE-2024-39908.patch: strip the matched ATTLIST
contents before applying ATTDEF_RE so that trailing whitespace
after a valid attdef does not trigger catastrophic backtracking
in the per-attdef scan. Adapted byte-identically from upstream
ruby/rexml@1f1e6e9; the other eight commits referenced by this
CVE address O(N**2) source.match interactions that are already
mitigated here by the min_bytes-doubling introduced in the
CVE-2024-41123 backport (verified by microbench against all
eight upstream test vectors at N=200000).
- CVE-2024-39908
Updated packages:
-
alt-ruby27_2.7.8-4_amd64.deb
sha:917e0d0245193954d228f1c8ceacfb60de77e65c
-
alt-ruby27-default-gems_2.7.8-4_amd64.deb
sha:84f060dcc64c58501711efbcdf73654e9d665679
-
alt-ruby27-devel_2.7.8-4_amd64.deb
sha:41bd3b2312538a9f6c619ae935109db0e3b1cde6
-
alt-ruby27-doc_2.7.8-4_amd64.deb
sha:ef8ca36542f3acab0eb46dc1235c0b91a9bd3348
-
alt-ruby27-libs_2.7.8-4_amd64.deb
sha:7fc9abd53dc54e6930814f943ff7cbca72f3551f
-
alt-ruby27-rubygem-bigdecimal_2.0.0-4_amd64.deb
sha:fe9684e9f2e0964970431a7cb209c5c55bb35c05
-
alt-ruby27-rubygem-bundler_2.2.24-4_amd64.deb
sha:6cb2ec06a3e59222bec2c4431daff7390dd21968
-
alt-ruby27-rubygem-io-console_0.5.6-4_amd64.deb
sha:5de1ab012a5f18a5415b775650af272c8d105de8
-
alt-ruby27-rubygem-irb_1.2.6-4_amd64.deb
sha:b2a568e6bb002b39d7e49daa74af1440d5bdba45
-
alt-ruby27-rubygem-json_2.3.0-4_amd64.deb
sha:1d51b37fede0cfe71ddb133a56ffd41f3b679dbf
-
alt-ruby27-rubygem-minitest_5.13.0-4_amd64.deb
sha:230e9c3a2cb4c59b2f7bbf219f0d6be1d6f74468
-
alt-ruby27-rubygem-net-telnet_0.2.0-4_amd64.deb
sha:ab3af887ff6234e3a2045527eb1092906cc356a8
-
alt-ruby27-rubygem-power-assert_1.1.7-4_amd64.deb
sha:86a923d136d77249cab504c2bcbda44fa966b438
-
alt-ruby27-rubygem-psych_3.1.0-4_amd64.deb
sha:588975174880059e0413b4dedfd8cbf8f43ab5aa
-
alt-ruby27-rubygem-rake_13.0.1-4_amd64.deb
sha:6cd3a8fbf37fa15d7c1b8dbf8a92fc6ea8e12d0f
-
alt-ruby27-rubygem-rdoc_6.2.1.1-4_amd64.deb
sha:65877202e37e4a4852ad1aa4603bb173e3c4967c
-
alt-ruby27-rubygem-test-unit_3.3.4-4_amd64.deb
sha:1bf3af8ea1f1ae2d5158b679551393b10c8efad2
-
alt-ruby27-rubygem-typeprof_2.7.8-4_amd64.deb
sha:8fef090de04f7db7e7c00f639b2b04a26a02d31e
-
alt-ruby27-rubygem-xmlrpc_0.3.0-4_amd64.deb
sha:4b98452e7d23ab131bad2799fb1c7521d8d96df8
-
alt-ruby27-rubygems_3.1.6-4_amd64.deb
sha:5c68c15ed317a65d40f9b0dca15881c80e1dab7f
-
alt-ruby27-rubygems-devel_3.1.6-4_amd64.deb
sha:8f2f69095a5073edd97b83f03927ffb4df282948
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
