Bugzilla – Bug 1184644
VUL-0: CVE-2021-28965: ruby2.5,ruby2.1,ruby: XML round-trip vulnerability in REXML
Last modified: 2023-04-12 00:42:39 UTC
rh#1947526 When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML. Reference: https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/ References: https://bugzilla.redhat.com/show_bug.cgi?id=1947526 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28965 https://access.redhat.com/security/cve/CVE-2021-28965
This is an autogenerated message for OBS integration: This bug (1184644) was mentioned in https://build.opensuse.org/request/show/884952 Factory / ruby3.0 https://build.opensuse.org/request/show/884953 Factory / ruby2.7
SUSE-SU-2021:1280-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1184644 CVE References: CVE-2021-28965 JIRA References: Sources used: SUSE MicroOS 5.0 (src): ruby2.5-2.5.9-4.17.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): ruby2.5-2.5.9-4.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0607-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1184644 CVE References: CVE-2021-28965 JIRA References: Sources used: openSUSE Leap 15.2 (src): ruby2.5-2.5.9-lp152.2.6.1
After careful consideration on our end, we have come to the decision that backporting this fix is not economically or timely feasible. Please reach out to security@suse.de in case of any questions.