Issue #20516 has been updated by nagachika (Tomoyuki Chikanaga). Backport changed from 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE to 3.1: REQUIRED, 3.2: DONE, 3.3: DONE Thanks to the advice from hsbt-san, I backported a series of changesets around "gems/lib/" directory to fix test-bundled-gems failures with rexml-3.2.9. Thank you all! commit:8e7d5adb4a481e9b4050505ea88cdf64278cacb7 commit:56c311aa0b20dee13ab43309ae3386f57f8cb797 commit:9542ef2798c6f555df5115da6881a5d50ed7034b commit:5a70a323904368987b79c59140bd2aca009da7a0 commit:963bb96e29204f351fa58a205a6eec075c0194ff commit:fa042a0f10f70347c1717c068d96e43e19f2171b commit:8e68752a5e48c5baf07114952d256efa360e3f4b ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108873 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: DONE, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/