Bump REXML to 3.3.6 to address CVE-2024-43398 - Githubissues

puppetlabs / puppet-agent

All of the directions for building a puppet agent package.

Other

47 stars 146 forks source link

Bump REXML to 3.3.6 to address CVE-2024-43398 #2551

Closed cthorn42 closed 1 month ago

cthorn42 commented 2 months ago

Our puppet-runtime for both puppet-agent 7.x and puppet-agent main are using REXML 3.3.4, https://github.com/puppetlabs/puppet-runtime/blob/38fc20bfbe8025e06645db2eab087b48a052b9ec/configs/components/rubygem-rexml.rb#L2. A recently announced CVE, https://www.cve.org/CVERecord?id=CVE-2024-43398, means we need to bump the REXML we're using.

github-actions[bot] commented 2 months ago

Migrated issue to PA-6901

joshcooper commented 1 month ago

Fixed in https://github.com/puppetlabs/puppet-runtime/pull/904