Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Upgrade rexml to 3.3.8 to fix CVE-2024-43398 #5245

Closed
wants to merge 3 commits into from
Closed

Upgrade rexml to 3.3.8 to fix CVE-2024-43398 #5245

wants to merge 3 commits into from

Conversation

raymzag
Copy link
Contributor

@raymzag raymzag commented Sep 3, 2024

Resolves CVE-2024-43398

Name: rexml
--
  | Version: 3.2.8
  | CVE: CVE-2024-43398
  | GHSA: GHSA-vmwr-mc7x-5vc3
  | Criticality: Medium
  | URL: https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
  | Title: REXML denial of service vulnerability
  | Solution: update to '>= 3.3.6'

Tests

bundle exec rake test:local

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
6012 tests, 80277 assertions, 0 failures, 0 errors, 0 pendings, 0 omissions, 0 notifications
100% passed
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
177.93 tests/s, 2375.84 assertions/s
Running RuboCop...
Inspecting 801 files
.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

801 files inspected, no offenses detected

Tip: Based on detected gems, the following RuboCop extension libraries might be helpful:
  * rubocop-rake (https://github.com/rubocop/rubocop-rake)

You can opt out of this message by adding the following to your config (see https://docs.rubocop.org/rubocop/extensions.html#extension-suggestions for more options):
  AllCops:
    SuggestExtensions: false

@raymzag raymzag mentioned this pull request Sep 3, 2024
Merged
@raymzag
Copy link
Contributor Author

raymzag commented Sep 24, 2024

Hey @aenand could you help with the review with this?

@aenand
Copy link
Contributor

aenand commented Sep 24, 2024

Hey @aenand could you help with the review with this?

Absolutely! Thank you for raising this. I'll review it today

@aenand
Copy link
Contributor

aenand commented Sep 24, 2024

This looks good to me from a changelog perspective. @Buitragox is performing some more in depth testing to see if the latest available version (3.3.7) works

@raymzag
Copy link
Contributor Author

raymzag commented Sep 24, 2024

Thanks @aenand . should I bump the version here to 3.3.7?

@aenand
Copy link
Contributor

aenand commented Sep 25, 2024

Yes please bump to 3.3.7

@Buitragox
Copy link
Contributor

Latest version 3.3.7 works fine

@raymzag
Copy link
Contributor Author

raymzag commented Sep 26, 2024

bumped.

thanks! @aenand @Buitragox

@raymzag raymzag changed the title Upgrade rexml to 3.3.6 to fix CVE-2024-43398 Upgrade rexml to 3.3.7 to fix CVE-2024-43398 Sep 26, 2024
aenand
aenand approved these changes Sep 27, 2024
View reviewed changes
Copy link
Contributor

@aenand aenand left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this! This will get merged next week

@raymzag
Copy link
Contributor Author

raymzag commented Oct 6, 2024

there's a new version just came out, https://github.com/ruby/rexml/releases should we update to that since we haven't merged it yet?

@aenand
Copy link
Contributor

aenand commented Oct 7, 2024

there's a new version just came out, https://github.com/ruby/rexml/releases should we update to that since we haven't merged it yet?

@Buitragox what is your deploy plan? Would you rather retest on the new version or are you planning to merge this soon?

@Buitragox
Copy link
Contributor

@aenand @raymzag We can update to the new version and retest 👍

@raymzag raymzag force-pushed the upgrade-rexml-to-3-3-6 branch from a66dd38 to 25fc445 Compare October 9, 2024 00:16
@raymzag
Copy link
Contributor Author

raymzag commented Oct 9, 2024

done. thanks @Buitragox

@Buitragox Buitragox closed this in 3b350f1 Oct 17, 2024
@Buitragox Buitragox changed the title Upgrade rexml to 3.3.7 to fix CVE-2024-43398 Upgrade rexml to 3.3.8 to fix CVE-2024-43398 Oct 17, 2024
@raymzag raymzag deleted the upgrade-rexml-to-3-3-6 branch October 18, 2024 23:15
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@Buitragox Buitragox Buitragox approved these changes

@aenand aenand aenand approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@raymzag @aenand @Buitragox