Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade rexml to 3.3.8 to fix CVE-2024-43398 #5245

Closed
wants to merge 3 commits into from
Closed

Upgrade rexml to 3.3.8 to fix CVE-2024-43398 #5245

wants to merge 3 commits into from

Conversation

raymzag
Copy link
Contributor

@raymzag raymzag commented Sep 3, 2024

Resolves CVE-2024-43398

Name: rexml
--
  | Version: 3.2.8
  | CVE: CVE-2024-43398
  | GHSA: GHSA-vmwr-mc7x-5vc3
  | Criticality: Medium
  | URL: https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
  | Title: REXML denial of service vulnerability
  | Solution: update to '>= 3.3.6'

Tests

bundle exec rake test:local

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
6012 tests, 80277 assertions, 0 failures, 0 errors, 0 pendings, 0 omissions, 0 notifications
100% passed
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
177.93 tests/s, 2375.84 assertions/s
Running RuboCop...
Inspecting 801 files
.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

801 files inspected, no offenses detected

Tip: Based on detected gems, the following RuboCop extension libraries might be helpful:
  * rubocop-rake (https://github.com/rubocop/rubocop-rake)

You can opt out of this message by adding the following to your config (see https://docs.rubocop.org/rubocop/extensions.html#extension-suggestions for more options):
  AllCops:
    SuggestExtensions: false

@raymzag raymzag mentioned this pull request Sep 3, 2024
Merged
@raymzag
Copy link
Contributor Author

raymzag commented Sep 24, 2024

Hey @aenand could you help with the review with this?

@aenand
Copy link
Contributor

aenand commented Sep 24, 2024

Hey @aenand could you help with the review with this?

Absolutely! Thank you for raising this. I'll review it today

@aenand
Copy link
Contributor

aenand commented Sep 24, 2024

This looks good to me from a changelog perspective. @Buitragox is performing some more in depth testing to see if the latest available version (3.3.7) works

@raymzag
Copy link
Contributor Author

raymzag commented Sep 24, 2024

Thanks @aenand . should I bump the version here to 3.3.7?

@aenand
Copy link
Contributor

aenand commented Sep 25, 2024

Yes please bump to 3.3.7

@Buitragox
Copy link
Collaborator

Latest version 3.3.7 works fine

@raymzag
Copy link
Contributor Author

raymzag commented Sep 26, 2024

bumped.

thanks! @aenand @Buitragox

@raymzag raymzag changed the title Upgrade rexml to 3.3.6 to fix CVE-2024-43398 Upgrade rexml to 3.3.7 to fix CVE-2024-43398 Sep 26, 2024
aenand
aenand approved these changes Sep 27, 2024
View reviewed changes
Copy link
Contributor

@aenand aenand left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this! This will get merged next week

@raymzag
Copy link
Contributor Author

raymzag commented Oct 6, 2024

there's a new version just came out, https://github.com/ruby/rexml/releases should we update to that since we haven't merged it yet?

@aenand
Copy link
Contributor

aenand commented Oct 7, 2024

there's a new version just came out, https://github.com/ruby/rexml/releases should we update to that since we haven't merged it yet?

@Buitragox what is your deploy plan? Would you rather retest on the new version or are you planning to merge this soon?

@Buitragox
Copy link
Collaborator

@aenand @raymzag We can update to the new version and retest 👍

@raymzag
Copy link
Contributor Author

raymzag commented Oct 9, 2024

done. thanks @Buitragox

@Buitragox Buitragox closed this in 3b350f1 Oct 17, 2024
@Buitragox Buitragox changed the title Upgrade rexml to 3.3.7 to fix CVE-2024-43398 Upgrade rexml to 3.3.8 to fix CVE-2024-43398 Oct 17, 2024
@raymzag raymzag deleted the upgrade-rexml-to-3-3-6 branch October 18, 2024 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Buitragox Buitragox Buitragox approved these changes

@aenand aenand aenand approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@raymzag @aenand @Buitragox