[CLSA-2026:1780936269] Fix CVE(s): CVE-2024-35176, CVE-2024-39908
Type:
security
Severity:
Moderate
Release date:
2026-06-08 17:52:28 UTC
Description:
* SECURITY UPDATE: REXML DoS via many '<' or '>' characters in an attribute value - debian/patches/CVE-2024-35176.patch: in parse_attributes, when the outer @source.match stops at a '>' inside a quoted attribute value, read forward to the actual closing quote in a single chunk instead of looping one '>' at a time, so the per-attribute outer loop is O(1) iterations rather than O(n). Also extend IOSource#match to always re-try the regex after read() returns false at EOF so the final partially-filled buffer is still matched. - CVE-2024-35176 * SECURITY UPDATE: REXML ReDoS via repeated zeros in a character reference - debian/patches/CVE-2024-39908.patch: rewrite REXML::Text.check to iterate over '<' and '&' sentinels with String#index and validate each entity / character reference explicitly, instead of string.scan() with the NEEDS_A_SECOND_CHECK regex whose '�*' branch caused O(n^2) backtracking on inputs with many leading zeros. The remaining CVE-2024-39908 subvariants (repeated '>' inside
CVEs fixed:
Updated packages:
  • alt-ruby30_3.0.7-172_amd64.deb
    sha:282103f7deff0e8fd0a8caefd64618a0fdbdebde
  • alt-ruby30-default-gems_3.0.7-172_amd64.deb
    sha:792aa8965b2b30466c42540250cec57dd6c7cda8
  • alt-ruby30-devel_3.0.7-172_amd64.deb
    sha:a6b452b9e3f919649ca26ba93a41b0b7e25982d3
  • alt-ruby30-doc_3.0.7-172_amd64.deb
    sha:7485aa87b89defb40989ebad5698672160915199
  • alt-ruby30-libs_3.0.7-172_amd64.deb
    sha:90bdab869e6b88235423b099f25bcb841af5b70d
  • alt-ruby30-rubygem-bigdecimal_3.0.0-172_amd64.deb
    sha:0dbe6d2abe12e1eca08eebe5defcc705d81ebdf7
  • alt-ruby30-rubygem-bundler_2.2.33-172_amd64.deb
    sha:d6e3484360b79f31efddf2c4ba8061bcfc55b8a1
  • alt-ruby30-rubygem-io-console_0.5.7-172_amd64.deb
    sha:8f1ba4e44f2ec190abfe85df65f71fe002daf657
  • alt-ruby30-rubygem-irb_1.3.5-172_amd64.deb
    sha:15c284180f61d7ebf40ef6effff310df3b848394
  • alt-ruby30-rubygem-json_2.5.1-172_amd64.deb
    sha:ccb031280d2807f01adcfea5957bb2fb0a0628b2
  • alt-ruby30-rubygem-minitest_5.14.2-172_amd64.deb
    sha:439fd5ebe5e82e4c8c7d61f3f000c21fb70adc0b
  • alt-ruby30-rubygem-power-assert_1.2.1-172_amd64.deb
    sha:c19284fa61d3da54a36e91341b13c4a92f775558
  • alt-ruby30-rubygem-psych_3.3.2-172_amd64.deb
    sha:739294a5c123751fa2dee19edcc924e212e0469d
  • alt-ruby30-rubygem-rake_13.0.3-172_amd64.deb
    sha:471967d68e4099a805951e83a41cf2fffbcc1314
  • alt-ruby30-rubygem-rbs_1.4.0-172_amd64.deb
    sha:9b2feb8ba7b42b85b0d17f6190ea6add26fcf836
  • alt-ruby30-rubygem-rdoc_6.3.4.1-172_amd64.deb
    sha:ab7bfb0558f76b4e7d0724ab16dcd7ce74f60700
  • alt-ruby30-rubygem-rexml_3.2.5-172_amd64.deb
    sha:6c0611dc31d0861b0ccb721909c8df88696afe67
  • alt-ruby30-rubygem-rss_0.2.9-172_amd64.deb
    sha:878f905381f0af73f9e3d9eff6ff33dda3102f00
  • alt-ruby30-rubygem-test-unit_3.3.7-172_amd64.deb
    sha:efc4e27e5134c1333ad876961e8475fb4104aa7e
  • alt-ruby30-rubygem-typeprof_0.15.2-172_amd64.deb
    sha:93f4b54d1a876047c14c1e928842859f58bf2d43
  • alt-ruby30-rubygems_3.2.33-172_amd64.deb
    sha:fb141571b509d50363661923f3011f5f9a205f23
  • alt-ruby30-rubygems-devel_3.2.33-172_amd64.deb
    sha:3a95d1260e9eae6a44ba868bc5af2596a6c601ab
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.