| Name | CVE-2024-39908 |
| Description | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-4018-1 |
| Debian Bugs | 1076766, 1076767, 1076768 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| ruby2.7 (PTS) | bullseye | 2.7.4-1+deb11u1 | vulnerable |
| bullseye (security) | 2.7.4-1+deb11u3 | fixed | |
| ruby3.1 (PTS) | bookworm, bookworm (security) | 3.1.2-7+deb12u1 | vulnerable |
| sid, trixie | 3.1.2-8.5 | vulnerable | |
| ruby3.2 (PTS) | sid | 3.2.3-1 | vulnerable |
| ruby3.3 (PTS) | sid, trixie | 3.3.6-1.1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| ruby2.7 | source | bullseye | 2.7.4-1+deb11u3 | DLA-4018-1 | ||
| ruby2.7 | source | (unstable) | (unfixed) | |||
| ruby3.1 | source | (unstable) | (unfixed) | 1076768 | ||
| ruby3.2 | source | (unstable) | (unfixed) | 1076767 | ||
| ruby3.3 | source | (unstable) | 3.3.5-1 | 1076766 |
[bookworm] - ruby3.1 <no-dsa> (Minor issue)
https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
https://github.com/advisories/GHSA-4xqq-m2hx-25v8
https://github.com/ruby/rexml/issues/232#issuecomment-2585211411
Fixed by commit [1/9] https://github.com/ruby/rexml/commit/b8a5f4cd5c8fe29c65d7a00e67170223d9d2b50e
Fixed by commit [2/9] https://github.com/ruby/rexml/commit/0af55fa49d4c9369f90f239a9571edab800ed36e
Fixed by commit [3/9] https://github.com/ruby/rexml/commit/c1b64c174ec2e8ca2174c51332670e3be30c865f
Fixed by commit [4/9] https://github.com/ruby/rexml/commit/9f1415a2616c77cad44a176eee90e8457b4774b6
Fixed by commit [5/9] https://github.com/ruby/rexml/commit/c33ea498102be65082940e8b7d6d31cb2c6e6ee2
Fixed by commit [6/9] https://github.com/ruby/rexml/commit/a79ac8b4b42a9efabe33a0be31bd82d33fd50347
Fixed by commit [7/9] https://github.com/ruby/rexml/commit/67efb5951ed09dbb575c375b130a1e469f437d1f
Fixed by commit [8/9] https://github.com/ruby/rexml/commit/1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2
Fixed by commit [9/9] https://github.com/ruby/rexml/commit/910e5a2b487cb5a30989884a39f9cad2cc499cfc