Headline
Ubuntu Security Notice USN-7091-1
Ubuntu Security Notice 7091-1 - It was discovered that Ruby incorrectly handled parsing of an XML document that has specific XML characters in an attribute value using REXML gem. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. It was discovered that Ruby incorrectly handled parsing of an XML document that has many entity expansions with SAX2 or pull parser API. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service.
==========================================================================Ubuntu Security Notice USN-7091-1November 05, 2024ruby3.0, ruby3.2, ruby3.3 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.10- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:Several security issues were fixed in Ruby.Software Description:- ruby3.3: Object-oriented scripting language- ruby3.2: Object-oriented scripting language- ruby3.0: Object-oriented scripting languageDetails:It was discovered that Ruby incorrectly handled parsing of an XML documentthat has specific XML characters in an attribute value using REXML gem. Anattacker could use this issue to cause Ruby to crash, resulting in a denialof service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu 24.04LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)It was discovered that Ruby incorrectly handled parsing of an XML documentthat has many entity expansions with SAX2 or pull parser API. An attackercould use this issue to cause Ruby to crash, resulting in a denial ofservice. (CVE-2024-41946)It was discovered that Ruby incorrectly handled parsing of an XML documentthat has many digits in a hex numeric character reference. An attackercould use this issue to cause Ruby to crash, resulting in a denial ofservice. (CVE-2024-49761)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.10 libruby3.3 3.3.4-2ubuntu5.1 ruby3.3 3.3.4-2ubuntu5.1Ubuntu 24.04 LTS libruby3.2 3.2.3-1ubuntu0.24.04.3 ruby3.2 3.2.3-1ubuntu0.24.04.3Ubuntu 22.04 LTS libruby3.0 3.0.2-7ubuntu2.8 ruby3.0 3.0.2-7ubuntu2.8In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-7091-1 CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-41946, CVE-2024-49761Package Information: https://launchpad.net/ubuntu/+source/ruby3.3/3.3.4-2ubuntu5.1 https://launchpad.net/ubuntu/+source/ruby3.2/3.2.3-1ubuntu0.24.04.3 https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.8Related news
### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org
Red Hat Security Advisory 2024-6785-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-6785-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-6785-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-6784-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-6784-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-6784-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-5338-03 - An update for pcs is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
### Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. ### Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. ### References * https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org
### Impact The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. ### Patches The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. ### Workarounds Don't parse untrusted XMLs. ### References * https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability * https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org
### Impact The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. ### Patches The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. ### Workarounds Don't parse untrusted XMLs. ### References * https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
Red Hat Security Advisory 2024-4499-03 - An update for ruby is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
### Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many `<`s in an attribute value. If you need to parse untrusted XMLs, you many be impacted to this vulnerability. ### Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. ### Workarounds Don't parse untrusted XMLs. ### References * https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/