Update rexml dependency (CVE-2024-39908)

CocoaPods / Xcodeproj

Create and modify Xcode projects from Ruby.

http://rubygems.org/gems/xcodeproj

MIT License

2.37k stars 458 forks source link

Update rexml dependency (CVE-2024-39908) #948

Closed bmedenwald closed 4 months ago

bmedenwald commented 4 months ago

There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-39908. We strongly recommend upgrading the REXML gem.

Details When it parses an XML that has many specific characters such as <, 0 and %>. REXML gem may take long time.

Please update REXML gem to version 3.3.2 or later.

Affected versions REXML gem 3.3.2 or prior

marknorgren commented 4 months ago

Is there a reason why https://github.com/CocoaPods/Xcodeproj/pull/944 wasn't merged?

This would have avoided users having to wait on this PR to merge to update REXML right?

samfranz commented 4 months ago

Yup, we need this too.

iosdevben commented 4 months ago

Thanks for raising this PR and getting it merged.

When are we likely to see a new release of Xcodeproj that incorporates this change?

AliSoftware commented 3 months ago

ICYMI: Xcodeproj 1.25.0 has now been released 3 days ago 🎉