{"id":"MGASA-2025-0001","summary":"Updated ruby packages fix security vulnerabilities","details":"The REXML gem before 3.2.6 has a denial of service vulnerability when it\nparses an XML that has many `\u003c`s in an attribute value. (CVE-2024-35176)\nThe REXML gem before 3.3.1 has some DoS vulnerabilities when it parses\nan XML that has many specific characters such as `\u003c`, `0` and `%\u003e`.\n(CVE-2024-39908)\nThe REXML gem before 3.3.2 has some DoS vulnerabilities when it parses\nan XML that has many specific characters such as whitespace character,\n`\u003e]` and `]\u003e`. (CVE-2024-41123)\nThe REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that\nhas many entity expansions with SAX2 or pull parser API.\n(CVE-2024-41946)\nThe REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML\nthat has many deep elements that have same local name attributes.\n(CVE-2024-43398)\nThe REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an\nXML that has many digits between &# and x...; in a hex numeric character\nreference (&#x...;). (CVE-2024-49761)\n","modified":"2026-04-16T04:44:45.519585803Z","published":"2025-01-04T21:09:30Z","upstream":["CVE-2024-35176","CVE-2024-39908","CVE-2024-41123","CVE-2024-41946","CVE-2024-43398","CVE-2024-49761"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0001.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33576"},{"type":"WEB","url":"https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/"},{"type":"WEB","url":"https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/"},{"type":"WEB","url":"https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/"},{"type":"WEB","url":"https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/"},{"type":"WEB","url":"https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQWXWS2GDTKX4LYWHQOZ2PWXDEICDX2W/"},{"type":"WEB","url":"https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7091-1"}],"affected":[{"package":{"name":"ruby","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/ruby?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.5-46.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0001.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}