CocoaPods
Update REXML to fix DoS Vulnerability (CVE-2024-35176)
Hi team,
There's a DoS vulnerability in rexml before version 3.2.7. It affects xcodeproj through fastlane. Can you update rexml to version 3.2.7 or later?
More details: ruby-lang.org.
Thanks!
It's worse now. New CVE: https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
This needs to be resolved.
The PR was already merged, any idea when should we expect to have a new release?
Seconding the request for a release at the earliest convenience– my enterprise team is running into security warnings related to this rexml dependency, so it would be hugely helpful to have a new version released with the recently updated constraint. Thanks to the maintainers for the prompt handling of the relevant PR!
Thirding the request, or at least a request for a timeline, for the same reasons.
Please release a numbered version with the merged dependency update. The latest version of this library, 1.24.0, is still vulnerable.
Please release a numbered version with the merged dependency update.
For anybody still struggling with this, you can point your Gemfile to this git repository directly to retrieve the latest version from master.
This worked fine in my case:
source 'https://rubygems.org'
ruby '>= 2.6.10'
gem 'cocoapods', '>= 1.15.2'
gem 'xcodeproj', '~> 1.24', git: 'https://github.com/CocoaPods/Xcodeproj.git'
gem "rexml", "~> 3.3.2"
Once a new version is release, just remove the git: part and update the version identifier next to xcodeproj.
Unfortunately, many of us are exposed to this vulnerability through Fastlane's use of xcodeproj as a dependency.
Looking forward to the next numbered release with bated breath!
