(PA-6507)(PA-6736) Gem install rexml to 3.3.2 for CVE-2024-35176 and CVE-2024-…

shubhamshinde360 commented 1 month ago

…39908

The CVEs were fixed from rexml version 3.2.7 (CVE-2024-35176) and 3.3.2 (CVE-2024-39908).
Patching for the CVE wasn't getting applied cleanly and had a lot of conflicts. So updated the gem version to 3.3.2 in the rexml component file.
Added the change to _shared-agent-components since the CVEs impacts both agent-runtime-main (ruby 3.2.4 using rexml 3.2.6) and agent-runtime-7.x (ruby 2.7.8 using rexml 3.2.3)
For solaris-10-sparc and solaris-11-sparc, we ignore dependency when installing rexml since the ruby in these platforms tries to install strscan (rexml's dependency) but fails while building native extensions. We can ignore installing str scan since it is shipped with ruby 2.7.8 as its default gem.
rexml is a bundled gem in ruby 3.
When we gem install rexml version 3.3.2 to resolve CVEs, we end up having two versions of rexml -- rexml 3.2.5 which is shipped with ruby as its bundled gem and rexml 3.3.2 which we manually installed.
This causes 'Gem::Specification.reset:rexml' warning to go to stderr each time puppet runs.
Run 'gem cleanup rexml' so that it removes the 3.2.5 version for both agent-runtimes and pe-bolt-server-runtime-main, the impacted projects requiring the rexml component.

shubhamshinde360 commented 1 month ago

Tested all platforms applicable for the impacted projects:

Note that the solaris-sparc failures are unrelated to this change, caused by the updation of package xz upstream. That works after updating the package requirement and running the build: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3094/

shubhamshinde360 commented 1 month ago

We have ruby-3.2.5 released with takes care of the CVE for main, so we only need to apply this gem update step for 7.x.

puppetlabs / puppet-runtime