Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#14871 closed enhancement (fixed)


Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 11.0
Component: BOOK Version: SVN
Severity: normal Keywords:


New point version

Change History (4)

comment:1 by Douglas R. Reno, 3 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 3 years ago

Priority: normalelevated
Ruby 3.0.1 Released
Posted by naruse on 5 Apr 2021

Ruby 3.0.1 has been released.

This release includes security fixes. Please check the topics below for details.

    CVE-2021-28965: XML round-trip vulnerability in REXML
    CVE-2021-28966: Path traversal in Tempfile on Windows

See the commit logs for details.

One of the vulnerabilities listed here affects us - CVE-2021-28965. The other one only affects Windows.


CVE-2021-28965: XML round-trip vulnerability in REXML
Posted by mame on 5 Apr 2021

There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2021-28965. We strongly recommend upgrading the REXML gem.


When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.

Please update REXML gem to version 3.2.5 or later.

If you are using Ruby 2.6 or later:
    Please use Ruby 2.6.7, 2.7.3, or 3.0.1.
    Alternatively, you can use gem update rexml to update it. If you are using bundler, please add gem "rexml", ">= 3.2.5" to your Gemfile.

If you are using Ruby 2.5.8 or prior:
    Please use Ruby 2.5.9.
    You cannot use gem update rexml for Ruby 2.5.8 or prior.
    Note that Ruby 2.5 series is now EOL, so please consider upgrading Ruby to 2.6.7 or later as soon as possible.

Affected versions
    Ruby 2.5.8 or prior (You can NOT use gem upgrade rexml for this version.)
    Ruby 2.6.7 or prior
    Ruby 2.7.2 or prior
    Ruby 3.0.1 or prior
    REXML gem 3.2.4 or prior

Thanks to Juho Nurminen for discovering this issue.

    Originally published at 2021-04-05 12:00:00 (UTC)

comment:3 by Douglas R. Reno, 3 years ago

Resolution: fixed
Status: assignedclosed

comment:4 by Bruce Dubbs, 3 years ago

Milestone: 10.211.0

Milestone renamed

Note: See TracTickets for help on using tickets.