git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Divya Chellam <divya.chellam@windriver.com>
	Thu, 20 Nov 2025 09:37:20 +0000 (15:07 +0530)
committer	Steve Sakoman <steve@sakoman.com>
	Thu, 20 Nov 2025 15:28:22 +0000 (07:28 -0800)
commit	a89fcaf0c3ac2afd95e836bc1356832296135696
tree	02ca9ff9ffcaa3f9f1418a3e2aeff46bf8ec574e	tree \| snapshot
parent	7359d3cdf2210e81a26d8712769f7e23bfbc1bb7	commit \| diff

ruby: fix CVE-2024-35176

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a
denial of service vulnerability when it parses an XML that has many
`<`s in an attribute value. Those who need to parse untrusted XMLs
may be impacted to this vulnerability. The REXML gem 3.2.7 or later
include the patch to fix this vulnerability. As a workaround, don't
parse untrusted XMLs.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-35176

Upstream-patch:
https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-devtools/ruby/ruby/CVE-2024-35176.patch	[new file with mode: 0644]	blob
meta/recipes-devtools/ruby/ruby_3.1.3.bb		diff \| blob \| blame \| history