Release date:
2026-06-09 08:13:48 UTC
Description:
* SECURITY UPDATE: REXML DoS via an attribute value containing many '>'
- debian/patches/CVE-2024-35176.patch: in parse_attributes
(lib/rexml/parsers/baseparser.rb), resolve the missing-closing-quote
case in a single pass -- read the value rest up to the closing quote
and then up to the tag end with two source.match calls -- instead of
consuming one '>'-chunk per iteration, which reset the scanner and
re-ran ATTRIBUTE_PATTERN over the accumulating buffer, giving O(N^2)
behaviour. Also make IOSource#match (lib/rexml/source.rb) retry the
pattern after every read attempt so the partial buffer is matched once
more before the source is declared exhausted, as required by the new
value-rest read. Adapted from upstream ruby/rexml ba70cfef ("Read
quoted attributes in chunks"); the read_until API added upstream has
no callers here once parse_attributes is fixed in place. Adds a
Timeout-based regression test
(test/rexml/parse/test_attribute_gt_redos.rb) adapted from upstream.
- CVE-2024-35176
* SECURITY UPDATE: REXML ReDoS via repeated spaces inside linear). Adapted from
upstream ruby/rexml 1f1e6e9; a byte-identical md[0].strip is a no-op on
3.1.9.1 because here md[0] starts with the "=12 also skip the net/http and net/smtp tests,
which spawn TCP servers via tcp_server_sockets_port0 and flake with
Errno::EADDRINUSE under concurrent builds (mirrors alt-ruby31).
- debian/patches/fix-tests-mjit-fork.patch: backport upstream 7a859b6a
(Ruby 2.7.0+) to fix the flaky TestJIT#test_fork_with_mjit_worker_thread
stderr output race; never backported to the 2.6 series.
Updated packages:
-
alt-ruby26_2.6.10-18_amd64.deb
sha:a0c8620c1892e5488805366dacd2b96c6dd5a1f2
-
alt-ruby26-default-gems_2.6.10-18_amd64.deb
sha:5e20593bac18855eb9945df8e4ce1d979622d496
-
alt-ruby26-devel_2.6.10-18_amd64.deb
sha:33a11ccb9772f66e256d65a541b041ec0d04e000
-
alt-ruby26-devel-doc_2.6.10-18_amd64.deb
sha:d729c2bf408ff3f824af67ea37266338af9aab26
-
alt-ruby26-doc_2.6.10-18_amd64.deb
sha:54dac2eef5c88eb0d6574ef8f3385d8aa9543171
-
alt-ruby26-libs_2.6.10-18_amd64.deb
sha:b0b92c3aab0af1c03fb554d553475f1f4a942392
-
alt-ruby26-rubygem-bigdecimal_1.4.1-18_amd64.deb
sha:049fad95557c68b57b220967ecc1a3c13508df47
-
alt-ruby26-rubygem-did-you-mean_2.6.10-18_amd64.deb
sha:fcb4034c37bd675ce737e85898a87cc83fbf6968
-
alt-ruby26-rubygem-io-console_0.4.7-18_amd64.deb
sha:adbf956dca1e97b1bc60ef470dc1ef750d7f95c8
-
alt-ruby26-rubygem-json_2.1.0-18_amd64.deb
sha:be648d04305f2e0c337838d61e906681d294607c
-
alt-ruby26-rubygem-minitest_5.11.3-18_amd64.deb
sha:58bc6ee6251f587c25e2b6c2944888bf2dfd411a
-
alt-ruby26-rubygem-net-telnet_0.2.0-18_amd64.deb
sha:e0bc01928fa02b19b74d84e79fc0760049891349
-
alt-ruby26-rubygem-openssl_2.6.10-18_amd64.deb
sha:992172845224bfb7072fcb08a5e440f6a82e4f04
-
alt-ruby26-rubygem-power-assert_1.1.3-18_amd64.deb
sha:8909aa6a14d1fe3f44ac7af9d0cb4a47103acab2
-
alt-ruby26-rubygem-psych_3.1.0-18_amd64.deb
sha:e0c0ab2c28a289997dbc81358828d4620fe7851e
-
alt-ruby26-rubygem-rake_12.3.3-18_amd64.deb
sha:789846c30671c5521df7c2eafdbf50d71b95575e
-
alt-ruby26-rubygem-rdoc_6.1.2.1-18_amd64.deb
sha:7b1de3b96e14617f74c341b2c12d825401278fae
-
alt-ruby26-rubygem-test-unit_3.2.9-18_amd64.deb
sha:4a63f4b502146dc4f8753365693b13d7a9abac7b
-
alt-ruby26-rubygem-typeprof_2.6.10-18_amd64.deb
sha:bca2cc8f9ba9e1e65422aa4064ab7838fc6016cd
-
alt-ruby26-rubygem-xmlrpc_0.3.0-18_amd64.deb
sha:8e8cd30c4c21884faeda9fdbc13071abcbef9ec7
-
alt-ruby26-rubygems_3.0.3.1-18_amd64.deb
sha:bae711b89561709fb9ca507543ebe3a18564722f
-
alt-ruby26-rubygems-devel_3.0.3.1-18_amd64.deb
sha:5362627735ab1af5451b9f5c9e20440a84984b0b
-
alt-ruby26_2.6.10-18_arm64.deb
sha:f6111f9596f958f102e7dfaf1770b07c4e0a6b6e
-
alt-ruby26-default-gems_2.6.10-18_arm64.deb
sha:177489812d17f1f16ffaa6e4efef3714db1b11c8
-
alt-ruby26-devel_2.6.10-18_arm64.deb
sha:10646abcada434be377e18e5e51b9dd2f4f30293
-
alt-ruby26-devel-doc_2.6.10-18_arm64.deb
sha:7f978f6e47425b8d0de4ac345b107cda671b670c
-
alt-ruby26-doc_2.6.10-18_arm64.deb
sha:4da040c724b79199cd1a67fa14e8c2b18bc9f809
-
alt-ruby26-libs_2.6.10-18_arm64.deb
sha:b5d8ee345e881ac69742c398bca1d403bea05de2
-
alt-ruby26-rubygem-bigdecimal_1.4.1-18_arm64.deb
sha:5510d8880828626978b322658de50ca3b46ed57b
-
alt-ruby26-rubygem-did-you-mean_2.6.10-18_arm64.deb
sha:933de29476dbd52c7bdb860ed8f1aa6fe9ce2ff4
-
alt-ruby26-rubygem-io-console_0.4.7-18_arm64.deb
sha:325917360439efb34be1e3423dae1111192a93f4
-
alt-ruby26-rubygem-json_2.1.0-18_arm64.deb
sha:1085424608c25145b9b0e52a73c27e5dbb89f2bd
-
alt-ruby26-rubygem-minitest_5.11.3-18_arm64.deb
sha:c92707d2b0a092843f19070ef0ff126c93e82abb
-
alt-ruby26-rubygem-net-telnet_0.2.0-18_arm64.deb
sha:f71a1dc1d9631254d13eaeec5b2052399a86497a
-
alt-ruby26-rubygem-openssl_2.6.10-18_arm64.deb
sha:e8fb2d02079d606f2cbffc96738822ae749312b0
-
alt-ruby26-rubygem-power-assert_1.1.3-18_arm64.deb
sha:90dbda4d7b2269373da806f43ece37c2659a3c8e
-
alt-ruby26-rubygem-psych_3.1.0-18_arm64.deb
sha:2f053f3ee3d507d8ba6ea516927677b95e69b1e6
-
alt-ruby26-rubygem-rake_12.3.3-18_arm64.deb
sha:5d97aaaa5ef3820a87f3d8bd8228a6e5a13058b2
-
alt-ruby26-rubygem-rdoc_6.1.2.1-18_arm64.deb
sha:8ec6116ce110e2de1b7b3024a6be5acb862d329b
-
alt-ruby26-rubygem-test-unit_3.2.9-18_arm64.deb
sha:ef5516f1970883454a13cc7f9b108b374cd24c3c
-
alt-ruby26-rubygem-typeprof_2.6.10-18_arm64.deb
sha:36bff44ec0f77d12b2605f0b00de495dc5aad2fb
-
alt-ruby26-rubygem-xmlrpc_0.3.0-18_arm64.deb
sha:a78037a5284b5d9df4724e196e672564d73cb830
-
alt-ruby26-rubygems_3.0.3.1-18_arm64.deb
sha:ab2441bdc544921b8f93106ea525107fbd846b83
-
alt-ruby26-rubygems-devel_3.0.3.1-18_arm64.deb
sha:3a34978f0f1e1aaaece4604915a7acbc473a0fea
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
