FreeBSD Bugzilla – Attachment 223832 Details for
Bug 254793
security/vuxml: Document XML round-trip vulnerability of REXML in Ruby
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch file
security_vuxml_ruby.patch (text/plain), 1.84 KB, created by
Yasuhiro Kimura
on 2021-04-05 14:48:40 UTC
(
hide
)
Description:
Patch file
Filename:
MIME Type:
Creator:
Yasuhiro Kimura
Created:
2021-04-05 14:48:40 UTC
Size:
1.84 KB
patch
obsolete
>diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml >index 98e485c04fae..3f67b5777052 100644 >--- a/security/vuxml/vuln.xml >+++ b/security/vuxml/vuln.xml >@@ -78,6 +78,45 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="dec7e4b6-961a-11eb-9c34-080027f515ea"> >+ <topic>ruby -- XML round-trip vulnerability in REXML</topic> >+ <affects> >+ <package> >+ <name>ruby</name> >+ <range><ge>2.5.0,1</ge><lt>2.5.9,1</lt></range> >+ <range><ge>2.6.0,1</ge><lt>2.6.7,1</lt></range> >+ <range><ge>2.7.0,1</ge><lt>2.7.3,1</lt></range> >+ <range><ge>3.0.0.p1,1</ge><lt>3.0.1,1</lt></range> >+ </package> >+ <package> >+ <name>rubygem-rexml</name> >+ <range><lt>3.2.5</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Juho Nurminen reports:</p> >+ <blockquote cite="https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/"> >+ <p> >+ When parsing and serializing a crafted XML document, REXML gem >+ (including the one bundled with Ruby) can create a wrong XML >+ document whose structure is different from the original one. >+ The impact of this issue highly depends on context, but it may >+ lead to a vulnerability in some programs that are using REXML. >+ </p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2021-28965</cvename> >+ <url>https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/</url> >+ </references> >+ <dates> >+ <discovery>2021-04-05</discovery> >+ <entry>2021-04-05</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="1f6d97da-8f72-11eb-b3f1-005056a311d1"> > <topic>samba -- Multiple Vulnerabilities</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=223832">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 254793
:
223832
|
223857