[ruby-core:118128] [Ruby master Bug#20516] The version of rexml in ruby 3.3.2 has not been updated since 3.2.6.
Issue #20516 has been reported by naitoh (Jun NAITOH). ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516 * Author: naitoh (Jun NAITOH) * Status: Open * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by k0kubun (Takashi Kokubun). Backport changed from 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: REQUIRED to 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: DONE ruby_3_3 commit:c9bec74b21f0e6cf05d9b200a1636bdb8069de8c merged revision(s) commit:70ad58cb62b195ba86a5ef07a565b22b02a040ea. ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108567 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by naitoh (Jun NAITOH). Thanks for the merge to Ruby 3.3.
Backport changed from 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: REQUIRED to 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: DONE
However, since this is a security fix, I think it should be merged back into 3.2 and 3.1 as well. https://www.ruby-lang.org/en/downloads/ ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108568 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by nagachika (Tomoyuki Chikanaga). Backport changed from 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE to 3.1: REQUIRED, 3.2: DONE, 3.3: DONE ruby_3_2 commit:519ac9c5fd7bfa75655231188ac1da9589563618 merged revision(s) commit:70ad58cb62b195ba86a5ef07a565b22b02a040ea. ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108571 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: DONE, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by nagachika (Tomoyuki Chikanaga). Additionally, I backported 9f708d48f6df37ee9600db9d51b57a156609a13b, 0301473fb523c71d8cdc4966971f31f502001185 and 7f0e26b7f99bf76408569892ce20318501f74729 into ruby_3_2 branch. However the failure in test-bundled-gems persists. I think we should backport additional changesets related to bundled gems tests. I will continue to investigate. Any suggestions are welcome. ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108576 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: DONE, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by naitoh (Jun NAITOH).
However the failure in test-bundled-gems persists. I think we should backport additional changesets related to bundled gems tests. I will continue to investigate. Any suggestions are welcome.
- https://rubygems.org/gems/rexml/versions/3.2.6 - Development依存関係 (3): - bundler >= 0 - rake >= 0 - test-unit >= 0 - https://rubygems.org/gems/rexml/versions/3.2.8 - Runtime依存関係 (1): - strscan >= 3.0.9 The version of strscan required has changed, which may be the cause. ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108578 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by kou (Kouhei Sutou). https://github.com/ruby/ruby/pull/10806 may be related. ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108581 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by nagachika (Tomoyuki Chikanaga).
The version of strscan required has changed,
Right, I think commit:7f0e26b7f99bf76408569892ce20318501f74729 was the follow-up for the dependency change, and the backporting it (with some preceding changesets) cure the failures on the test of rexml(partially) and rss. However the test of rexml on ruby core repo still failed. https://github.com/ruby/ruby/actions/runs/9334302271/job/25692373287#step:16... ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108582 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by kou (Kouhei Sutou). https://github.com/ruby/ruby/actions/runs/9334302271/job/25692373287#step:16... ```text Error: test_require_home_runner_work_ruby_ruby_src_gems_src_rexml_test_test_document_rb(RequireFailedErrors): LoadError: failed to load </home/runner/work/ruby/ruby/src/gems/src/rexml/test/test_document.rb>: cannot load such file -- core_assertions ``` We need `test-unit-ruby-core` gem for it. Other failures may be related to StringScanner version. We'll release a new REXML version with https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d742... in a few weeks. Could you try it after we release it? ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108584 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by nagachika (Tomoyuki Chikanaga). @kou Thank you for your investigation! I will revert previous backports on ruby_3_2 for a while to keep CI green. ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108585 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by hsbt (Hiroshi SHIBATA). Thanks all. The current `make test-bundled-gems` is not working with C ext dependencies like strscan. I removed them at https://github.com/ruby/ruby/blob/master/tool/lib/bundled_gem.rb#L67 if dependencies are the default gems. We can use them via ruby source tree. The above workaround is only working with resolving with correct version like `strscan >= 3.0.9` manually. The version of strscan with `ruby_3_2` is `3.0.5`. Because https://bugs.ruby-lang.org/issues/20516#note-10 is failed maybe. We have the following solution: * Wait to release rexml-3.2.9. * Upgrade strscan-3.0.9+ on `ruby_3_1` and `ruby_3_2` and rexml-3.2.8. ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108587 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by kou (Kouhei Sutou). Could you try REXML 3.2.9? ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108757 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
Issue #20516 has been updated by nagachika (Tomoyuki Chikanaga). Backport changed from 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE to 3.1: REQUIRED, 3.2: DONE, 3.3: DONE Thanks to the advice from hsbt-san, I backported a series of changesets around "gems/lib/" directory to fix test-bundled-gems failures with rexml-3.2.9. Thank you all! commit:8e7d5adb4a481e9b4050505ea88cdf64278cacb7 commit:56c311aa0b20dee13ab43309ae3386f57f8cb797 commit:9542ef2798c6f555df5115da6881a5d50ed7034b commit:5a70a323904368987b79c59140bd2aca009da7a0 commit:963bb96e29204f351fa58a205a6eec075c0194ff commit:fa042a0f10f70347c1717c068d96e43e19f2171b commit:8e68752a5e48c5baf07114952d256efa360e3f4b ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108873 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: DONE, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/
participants (5)
-
hsbt (Hiroshi SHIBATA) -
k0kubun (Takashi Kokubun)
-
kou (Kouhei Sutou)
-
nagachika (Tomoyuki Chikanaga)
-
naitoh (Jun NAITOH)