UbuntuUpdates.org

Package "ruby3.2"

Name: ruby3.2

Description:

Interpreter of object-oriented scripting language Ruby

Latest version: 3.2.3-1ubuntu0.24.04.3
Release: noble (24.04)
Level: security
Repository: main
Homepage: https://www.ruby-lang.org/

Links


Download "ruby3.2"


Other versions of "ruby3.2" in Noble

Repository Area Version
base main 3.2.3-1build3
updates main 3.2.3-1ubuntu0.24.04.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.2.3-1ubuntu0.24.04.3 2024-11-05 06:06:56 UTC

  ruby3.2 (3.2.3-1ubuntu0.24.04.3) noble-security; urgency=medium

  * SECURITY UPDATE: denial of service in REXML
    - debian/patches/CVE-2024-35176_39908_41123.patch: Read quoted
      attributes in chunks
    - debian/patches/CVE-2024-41946.patch: Add support for XML entity
      expansion limitation in SAX and pull parsers
    - debian/patches/CVE-2024-49761.patch: fix a bug that &#0x...; is
      accepted as a character reference
    - CVE-2024-35176
    - CVE-2024-39908
    - CVE-2024-41123
    - CVE-2024-41946
    - CVE-2024-49761

 -- Nishit Majithia <email address hidden> Fri, 25 Oct 2024 14:06:35 +0530

Source diff to previous version
CVE-2024-35176 REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an att
CVE-2024-41946 REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull
CVE-2024-49761 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...
CVE-2024-39908 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters suc
CVE-2024-41123 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters suc

Version: 3.2.3-1ubuntu0.24.04.1 2024-06-17 15:07:14 UTC

  ruby3.2 (3.2.3-1ubuntu0.24.04.1) noble-security; urgency=medium

  * SECURITY UPDATE: code execution in RDoc
    - debian/patches/CVE-2024-27281-1.patch: filter marshalled objects in
      lib/rdoc/store.rb.
    - debian/patches/CVE-2024-27281-2.patch: fix NoMethodError for
      start_with in lib/rdoc/store.rb.
    - CVE-2024-27281
  * SECURITY UPDATE: heap data extraction via regex
    - debian/patches/CVE-2024-27282.patch: fix Use-After-Free issue for
      Regexp in regexec.c.
    - CVE-2024-27282

 -- Marc Deslauriers <email address hidden> Fri, 14 Jun 2024 07:50:43 -0400

CVE-2024-27281 An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in
CVE-2024-27282 An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitr



About   -   Send Feedback to @ubuntu_updates