[ubuntu/noble-updates] ruby3.2 3.2.3-1ubuntu0.24.04.5 (Accepted)

Ubuntu Archive Robot ubuntu-archive-robot at lists.canonical.com
Mon Apr 7 14:01:55 UTC 2025 

ruby3.2 (3.2.3-1ubuntu0.24.04.5) noble-security; urgency=medium

  * SECURITY UPDATE: DoS in REXML via many < in an attribute value
    - debian/patches/CVE-2024-35176-pre2.patch: use string scanner with
      baseparser.
    - debian/patches/CVE-2024-35176-pre3.patch: use @scanner << readline
      instead of @scanner.string = @scanner.rest + readline.
    - debian/patches/CVE-2024-35176-pre4.patch: use more StringScanner
      based API to parse XML.
    - debian/patches/CVE-2024-35176-pre5.patch: optimize the
      parse_attributes method to use Source#match to parse XML.
    - debian/patches/CVE-2024-35176-1.patch: read quoted attributes in
      chunks.
    - debian/patches/CVE-2024-35176-2.patch: add support for old strscan.
    - CVE-2024-35176
  * SECURITY UPDATE: DoS in REXML via many specific characters
    - debian/patches/CVE-2024-39908-pre1.patch: remove Source#string=
      method.
    - debian/patches/CVE-2024-39908-pre2.patch: add a "malformed comment"
      check for top-level comments.
    - debian/patches/CVE-2024-39908-1.patch: fix performance issue caused
      by using repeated > characters.
    - debian/patches/CVE-2024-39908-2.patch: fix ReDoS caused by very large
      character references using repeated 0s.
    - debian/patches/CVE-2024-39908-3.patch: fix performance issue caused
      by using repeated > characters inside comments.
    - debian/patches/CVE-2024-39908-4.patch: fix performance issue caused
      by using repeated > characters inside CDATA [ PAYLOAD ].
    - debian/patches/CVE-2024-39908-5.patch: fix performance issue caused
      by using repeated > characters after <!DOCTYPE name.
    - debian/patches/CVE-2024-39908-6.patch: fix performance issue caused
      by using repeated > characters inside <!DOCTYPE root [<!-- PAYLOAD
      -->]>.
    - debian/patches/CVE-2024-39908-7.patch: fix performance issue caused
      by using repeated > characters inside <!DOCTYPE name [<!ENTITY>]>.
    - debian/patches/CVE-2024-39908-8.patch: fix ReDoS by using repeated
      space characters inside <!DOCTYPE name [<!ATTLIST>]>.
    - debian/patches/CVE-2024-39908-9.patch: fix performance issue caused
      by using repeated > characters inside <xml><!-- --></xml>.
    - CVE-2024-39908
  * SECURITY UPDATE: DoS in REXML via many specific characters
    - debian/patches/CVE-2024-41123-pre1.patch: fix method scope in test in
      order to invoke the tests properly and fix exception message.
    - debian/patches/CVE-2024-41123-pre2.patch: add missing encode for
      custom term.
    - debian/patches/CVE-2024-41123-pre3.patch: add position check for XML
      declaration.
    - debian/patches/CVE-2024-41123-1.patch: fix source.match performance
      without specifying term string.
    - debian/patches/CVE-2024-41123-2.patch: parse pi: improve invalid case
      detection.
    - CVE-2024-41123
  * SECURITY UPDATE: DoS in REXML via many deep elements
    - debian/patches/CVE-2024-43398-pre1.patch: keep the current namespaces
      instead of stack of Set.
    - debian/patches/CVE-2024-43398-1.patch: improve namespace conflicted
      attribute check performance.
    - debian/patches/CVE-2024-43398-2.patch: fix handling with "xml:"
      prefixed namespace.
    - CVE-2024-43398
  * SECURITY UPDATE: DoS in net-imap response parser
    - debian/patches/CVE-2025-25186.patch: limit number of UIDs in
      .bundle/gems/net-imap-0.4.9.1/lib/net/imap/response_parser.rb.
    - CVE-2025-25186
  * SECURITY UPDATE: DoS in CGI Gem
    - debian/patches/CVE-2025-27219.patch: use String#concat instead of
      String#+ for reducing cpu usage in lib/cgi/cookie.rb.
    - CVE-2025-27219
  * SECURITY UPDATE: ReDoS in CGI Gem
    - debian/patches/CVE-2025-27220.patch: escape/unescape unclosed tags as
      well in lib/cgi/util.rb, test/cgi/test_cgi_util.rb.
    - CVE-2025-27220
  * SECURITY UPDATE: credential leak in URI gem
    - debian/patches/CVE-2025-27221-1.patch: truncate userinfo in
      lib/uri/generic.rb, test/uri/test_generic.rb.
    - debian/patches/CVE-2025-27221-2.patch: fix merger of URI with
      authority component in lib/uri/generic.rb, test/uri/test_generic.rb.
    - CVE-2025-27221

Date: 2025-03-13 18:03:13.165172+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/ruby3.2/3.2.3-1ubuntu0.24.04.5
-------------- next part --------------
Sorry, changesfile not available.

More information about the noble-changes mailing list