up rexml to a version that doesnt include the ddos vulnerability - Githubissues

gettalong / kramdown

kramdown is a fast, pure Ruby Markdown superset converter, using a strict syntax definition and supporting several common extensions.

http://kramdown.gettalong.org

Other

1.72k stars 271 forks source link

up rexml to a version that doesnt include the ddos vulnerability #806

Open jeremiahlukus opened 3 months ago

jeremiahlukus commented 3 months ago

REXML contains a denial of service vulnerability (CVE-2024-35176)

Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many `<`s in an attribute value. If you need to parse untrusted XMLs, you many be impacted to this vulnerability. ### Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. ### Workarounds Don't parse untrusted XMLs. ### References * https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

^ pasted from NewRelic

monicao commented 3 weeks ago

It looks like more vulnerabilities were found since May.

Consider bumping the version of rexml to '>= 3.3.6', because this CVE-2024-43398 reports the DoS vulnerability is there in prior versions.

jeremiahlukus commented 3 weeks ago

I would if it would get merged since this didnt get merged its unlikely another version bump will.