Update REXML to fix DoS Vulnerability (CVE-2024-35176)

CocoaPods / Xcodeproj

Create and modify Xcode projects from Ruby.

http://rubygems.org/gems/xcodeproj

MIT License

2.37k stars 458 forks source link

Update REXML to fix DoS Vulnerability (CVE-2024-35176) #947

Closed fchiusolo closed 3 months ago

fchiusolo commented 4 months ago

Hi team,

There's a DoS vulnerability in rexml before version 3.2.7. It affects xcodeproj through fastlane. Can you update rexml to version 3.2.7 or later?

More details: ruby-lang.org.

Thanks!

bmedenwald commented 4 months ago

It's worse now. New CVE: https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/

This needs to be resolved.

bmedenwald commented 4 months ago

Added PR: https://github.com/CocoaPods/Xcodeproj/pull/948

iosdevben commented 4 months ago

Urgently needs releasing to address the vulnerability.

samfranz commented 4 months ago

When can we expect a release with this change?

elkinjosetm commented 4 months ago

The PR was already merged, any idea when should we expect to have a new release?

sphanley commented 4 months ago

Seconding the request for a release at the earliest convenience– my enterprise team is running into security warnings related to this rexml dependency, so it would be hugely helpful to have a new version released with the recently updated constraint. Thanks to the maintainers for the prompt handling of the relevant PR!

Aaron-Empower commented 4 months ago

Thirding the request, or at least a request for a timeline, for the same reasons.

kconner commented 4 months ago

Please release a numbered version with the merged dependency update. The latest version of this library, 1.24.0, is still vulnerable.

konrad-gibaszewski commented 4 months ago

Please release a numbered version with the merged dependency update.

0rax commented 4 months ago

For anybody still struggling with this, you can point your Gemfile to this git repository directly to retrieve the latest version from master.

This worked fine in my case:

source 'https://rubygems.org'

ruby '>= 2.6.10'

gem 'cocoapods', '>= 1.15.2'
gem 'xcodeproj', '~> 1.24', git: 'https://github.com/CocoaPods/Xcodeproj.git'
gem "rexml", "~> 3.3.2"

Once a new version is release, just remove the git: part and update the version identifier next to xcodeproj.

Aaron-Empower commented 4 months ago

Unfortunately, many of us are exposed to this vulnerability through Fastlane's use of xcodeproj as a dependency.

Looking forward to the next numbered release with bated breath!

Kaspik commented 4 months ago

@amorde Hola Eric! Is there a chance we could get new release out asap?

amorde commented 3 months ago

The fix for this was released in 1.25.0.