🚨 [security] [ruby] Update rexml 3.3.7 → 3.3.9 (patch)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ rexml (indirect, 3.3.7 → 3.3.9) · Repo · Changelog

Security Advisories 🚨

🚨 REXML ReDoS vulnerability

Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

References

• https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org

Release Notes

3.3.9

Improvements

• Improved performance.
  • GH-210
  • Patch by NAITOH Jun.

Fixes

• Fixed a parse bug for text only invalid XML.

  • GH-215
  • Patch by NAITOH Jun.

• Fixed a parse bug that &#0x...; is accepted as a character
  reference.

Thanks

• NAITOH Jun

3.3.8

Improvements

• SAX2: Improve parse performance.
  • GH-207
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that unexpected attribute namespace conflict error for
  the predefined "xml" namespace is reported.
  • GH-208
  • Patch by KITAITI Makoto

Thanks

• NAITOH Jun

• KITAITI Makoto

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• Add 3.3.9 entry
• parser: fix a bug that &#0x...; is accepted as a character reference
• test: fix indent
• Fix `IOSource#readline` for `@pending_buffer` (#215)
• Optimize `IOSource#read_until` method (#210)
• Bump version
• test: avoid using needless non ASCII characters
• Add 3.3.8 entry
• Fix handling with "xml:" prefixed namespace (#208)
• Optimize SAX2Parser#get_namespace (#207)
• Bump version

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)