Release date:
2026-06-09 08:26:56 UTC
Description:
* SECURITY UPDATE: REXML DoS via an attribute value containing many '>'
- debian/patches/CVE-2024-35176.patch: in parse_attributes
(lib/rexml/parsers/baseparser.rb), resolve the missing-closing-quote
case in a single pass -- read the value rest up to the closing quote
and then up to the tag end with two source.match calls -- instead of
consuming one '>'-chunk per iteration, which reset the scanner and
re-ran ATTRIBUTE_PATTERN over the accumulating buffer, giving O(N^2)
behaviour. Also make IOSource#match (lib/rexml/source.rb) retry the
pattern after every read attempt so the partial buffer is matched once
more before the source is declared exhausted, as required by the new
value-rest read. Adapted from upstream ruby/rexml ba70cfef ("Read
quoted attributes in chunks"); the read_until API added upstream has
no callers here once parse_attributes is fixed in place. Adds a
Timeout-based regression test
(test/rexml/parse/test_attribute_gt_redos.rb) adapted from upstream.
- CVE-2024-35176
* SECURITY UPDATE: REXML ReDoS via repeated spaces inside linear). Adapted from
upstream ruby/rexml 1f1e6e9; a byte-identical md[0].strip is a no-op on
3.1.9.1 because here md[0] starts with the "=12 also skip the net/http and net/smtp tests,
which spawn TCP servers via tcp_server_sockets_port0 and flake with
Errno::EADDRINUSE under concurrent builds (mirrors alt-ruby31).
- debian/patches/fix-tests-mjit-fork.patch: backport upstream 7a859b6a
(Ruby 2.7.0+) to fix the flaky TestJIT#test_fork_with_mjit_worker_thread
stderr output race; never backported to the 2.6 series.
Updated packages:
-
alt-ruby26_2.6.10-18_amd64.deb
sha:3fb3ecccc788b4f13e1996b438858bdcc77f528f
-
alt-ruby26-default-gems_2.6.10-18_amd64.deb
sha:5e20593bac18855eb9945df8e4ce1d979622d496
-
alt-ruby26-devel_2.6.10-18_amd64.deb
sha:4fb3af90db7952eff57a95f2e1a7c971650ef077
-
alt-ruby26-devel-doc_2.6.10-18_amd64.deb
sha:d729c2bf408ff3f824af67ea37266338af9aab26
-
alt-ruby26-doc_2.6.10-18_amd64.deb
sha:54dac2eef5c88eb0d6574ef8f3385d8aa9543171
-
alt-ruby26-libs_2.6.10-18_amd64.deb
sha:f3b0ee0089a8aeb2d027b654804504eeef52db0c
-
alt-ruby26-rubygem-bigdecimal_1.4.1-18_amd64.deb
sha:d78089a868fd7c784008cbdc9d1ec8bb0ddc2d5a
-
alt-ruby26-rubygem-did-you-mean_2.6.10-18_amd64.deb
sha:fcb4034c37bd675ce737e85898a87cc83fbf6968
-
alt-ruby26-rubygem-io-console_0.4.7-18_amd64.deb
sha:9e8cddefaca84761f872d80d02ded53bd22b9132
-
alt-ruby26-rubygem-json_2.1.0-18_amd64.deb
sha:389283d139937ff73a70e9b9279c792e84aa74b6
-
alt-ruby26-rubygem-minitest_5.11.3-18_amd64.deb
sha:58bc6ee6251f587c25e2b6c2944888bf2dfd411a
-
alt-ruby26-rubygem-net-telnet_0.2.0-18_amd64.deb
sha:e0bc01928fa02b19b74d84e79fc0760049891349
-
alt-ruby26-rubygem-openssl_2.6.10-18_amd64.deb
sha:6b7ee613d135621a9acd48a049c47bbb29dac37c
-
alt-ruby26-rubygem-power-assert_1.1.3-18_amd64.deb
sha:8909aa6a14d1fe3f44ac7af9d0cb4a47103acab2
-
alt-ruby26-rubygem-psych_3.1.0-18_amd64.deb
sha:8713553a60f321ac2d9cb3704b534250e3c20113
-
alt-ruby26-rubygem-rake_12.3.3-18_amd64.deb
sha:789846c30671c5521df7c2eafdbf50d71b95575e
-
alt-ruby26-rubygem-rdoc_6.1.2.1-18_amd64.deb
sha:7b1de3b96e14617f74c341b2c12d825401278fae
-
alt-ruby26-rubygem-test-unit_3.2.9-18_amd64.deb
sha:4a63f4b502146dc4f8753365693b13d7a9abac7b
-
alt-ruby26-rubygem-typeprof_2.6.10-18_amd64.deb
sha:bca2cc8f9ba9e1e65422aa4064ab7838fc6016cd
-
alt-ruby26-rubygem-xmlrpc_0.3.0-18_amd64.deb
sha:8e8cd30c4c21884faeda9fdbc13071abcbef9ec7
-
alt-ruby26-rubygems_3.0.3.1-18_amd64.deb
sha:bae711b89561709fb9ca507543ebe3a18564722f
-
alt-ruby26-rubygems-devel_3.0.3.1-18_amd64.deb
sha:5362627735ab1af5451b9f5c9e20440a84984b0b
-
alt-ruby26_2.6.10-18_arm64.deb
sha:5cb569d6ddd1bb55e69a34063c55c5b4f876d1ab
-
alt-ruby26-default-gems_2.6.10-18_arm64.deb
sha:177489812d17f1f16ffaa6e4efef3714db1b11c8
-
alt-ruby26-devel_2.6.10-18_arm64.deb
sha:68861964a3a35e24374539240e4d8ba682d0b48b
-
alt-ruby26-devel-doc_2.6.10-18_arm64.deb
sha:7f978f6e47425b8d0de4ac345b107cda671b670c
-
alt-ruby26-doc_2.6.10-18_arm64.deb
sha:4da040c724b79199cd1a67fa14e8c2b18bc9f809
-
alt-ruby26-libs_2.6.10-18_arm64.deb
sha:0075900886c7367ca69467e5941e72475f14fb39
-
alt-ruby26-rubygem-bigdecimal_1.4.1-18_arm64.deb
sha:b2c59f219612ec11b3fd30ee887ec9aeae4fb712
-
alt-ruby26-rubygem-did-you-mean_2.6.10-18_arm64.deb
sha:933de29476dbd52c7bdb860ed8f1aa6fe9ce2ff4
-
alt-ruby26-rubygem-io-console_0.4.7-18_arm64.deb
sha:25ff5182ae730727ef4135ce7cfda55bf0fe6773
-
alt-ruby26-rubygem-json_2.1.0-18_arm64.deb
sha:60ec65c3d92e6129279fc1daf4515e317a12a147
-
alt-ruby26-rubygem-minitest_5.11.3-18_arm64.deb
sha:c92707d2b0a092843f19070ef0ff126c93e82abb
-
alt-ruby26-rubygem-net-telnet_0.2.0-18_arm64.deb
sha:f71a1dc1d9631254d13eaeec5b2052399a86497a
-
alt-ruby26-rubygem-openssl_2.6.10-18_arm64.deb
sha:b7c418243ebf1ad767bfeabb31f2104b87299d19
-
alt-ruby26-rubygem-power-assert_1.1.3-18_arm64.deb
sha:90dbda4d7b2269373da806f43ece37c2659a3c8e
-
alt-ruby26-rubygem-psych_3.1.0-18_arm64.deb
sha:7ffb9889dc2fc4c52f9d930f3737083313455231
-
alt-ruby26-rubygem-rake_12.3.3-18_arm64.deb
sha:5d97aaaa5ef3820a87f3d8bd8228a6e5a13058b2
-
alt-ruby26-rubygem-rdoc_6.1.2.1-18_arm64.deb
sha:8ec6116ce110e2de1b7b3024a6be5acb862d329b
-
alt-ruby26-rubygem-test-unit_3.2.9-18_arm64.deb
sha:ef5516f1970883454a13cc7f9b108b374cd24c3c
-
alt-ruby26-rubygem-typeprof_2.6.10-18_arm64.deb
sha:36bff44ec0f77d12b2605f0b00de495dc5aad2fb
-
alt-ruby26-rubygem-xmlrpc_0.3.0-18_arm64.deb
sha:a78037a5284b5d9df4724e196e672564d73cb830
-
alt-ruby26-rubygems_3.0.3.1-18_arm64.deb
sha:ab2441bdc544921b8f93106ea525107fbd846b83
-
alt-ruby26-rubygems-devel_3.0.3.1-18_arm64.deb
sha:3a34978f0f1e1aaaece4604915a7acbc473a0fea
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
