Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade rexml to 3.3.3+ for CVE-2024-41123 and CVE-2024-41946 #582

Merged
merged 1 commit into from
Aug 2, 2024
Merged

Upgrade rexml to 3.3.3+ for CVE-2024-41123 and CVE-2024-41946 #582

merged 1 commit into from
Aug 2, 2024

Conversation

Fryguy
Copy link
Member

@Fryguy Fryguy commented Aug 1, 2024

In #581 I wrote

I expect in the future REXML will fail on these leading text nodes,
so we may have to revisit this at that time.

and that has now happened in rexml 3.3.3 (ruby/rexml#184), so this commit also removes the spec for leading text nodes, since they can no longer be parsed. The BOM test ensures that the leading BOM marker is not treated as a text node.

@jrafanie Please review.

@Fryguy
Upgrade rexml to 3.3.3+ for CVE-2024-41123 and CVE-2024-41946
f8daeab 
In ManageIQ#581 I wrote

> I expect in the future REXML will fail on these leading text nodes,
> so we may have to revisit this at that time.

and that has now happened in rexml 3.3.3, so this commit also removes
the spec for leading text nodes, since they can no longer be parsed.
The BOM test ensures that the leading BOM marker is not treated as a
text node.
@Fryguy Fryguy added dependencies radjabov/yes? security fix Security fix generated by WhiteSource labels Aug 1, 2024
@miq-bot
Copy link
Member

miq-bot commented Aug 1, 2024

Checked commit Fryguy@f8daeab with ruby 3.1.5, rubocop 1.56.3, haml-lint 0.51.0, and yamllint
1 file checked, 0 offenses detected
Everything looks fine. 🍪

jrafanie
jrafanie approved these changes Aug 2, 2024
View reviewed changes
Copy link
Member

@jrafanie jrafanie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jrafanie jrafanie merged commit aa3f5b2 into ManageIQ:master Aug 2, 2024
5 of 6 checks passed
@Fryguy Fryguy deleted the rexml_3_3_4 branch August 2, 2024 15:07
@Fryguy
Copy link
Member Author

Fryguy commented Aug 15, 2024

Backported to radjabov via merge of master into radjabov branch

@Fryguy
Copy link
Member Author

Fryguy commented Oct 2, 2024

Backported to quinteros in commit 89c10f4.

commit 89c10f4de5f43c625f166beab7b1f1583773d0ae
Author: Joe Rafaniello <[email protected]>
Date:   Fri Aug 2 10:39:12 2024 -0400

    Merge pull request #582 from Fryguy/rexml_3_3_4
    
    Upgrade rexml to 3.3.3+ for CVE-2024-41123 and CVE-2024-41946
    
    (cherry picked from commit aa3f5b2f93c3f55426f010ff751ce7728abbc748)

Fryguy pushed a commit that referenced this pull request Oct 2, 2024
@jrafanie @Fryguy
Merge pull request #582 from Fryguy/rexml_3_3_4
89c10f4 
Upgrade rexml to 3.3.3+ for CVE-2024-41123 and CVE-2024-41946

(cherry picked from commit aa3f5b2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrafanie jrafanie jrafanie approved these changes

Assignees

@jrafanie jrafanie

Labels
dependencies quinteros/backported radjabov/backported security fix Security fix generated by WhiteSource
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Fryguy @miq-bot @jrafanie