<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-devtools/ruby, branch kirkstone</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=kirkstone</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=kirkstone'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2025-12-01T14:50:49+00:00</updated>
<entry>
<title>ruby: fix CVE-2024-41123</title>
<updated>2025-12-01T14:50:49+00:00</updated>
<author>
<name>Divya Chellam</name>
<email>divya.chellam@windriver.com</email>
</author>
<published>2025-11-20T09:37:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=6639c7b29502bed5ce1bfb0abcfd4dc09b3e1da6'/>
<id>urn:sha1:6639c7b29502bed5ce1bfb0abcfd4dc09b3e1da6</id>
<content type='text'>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS
vulnerabilities when it parses an XML that has many specific characters
such as whitespace character, `&gt;]` and `]&gt;`. The REXML gem 3.3.3 or later
include the patches to fix these vulnerabilities.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41123

Upstream-patches:
https://github.com/ruby/rexml/commit/2c39c91a65d69357cfbc35dd8079b3606d86bb70
https://github.com/ruby/rexml/commit/4444a04ece4c02a7bd51e8c75623f22dc12d882b
https://github.com/ruby/rexml/commit/ebc3e85bfa2796fb4922c1932760bec8390ff87c
https://github.com/ruby/rexml/commit/6cac15d45864c8d70904baa5cbfcc97181000960
https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6

(From OE-Core rev: 6b2a2e689a69deef6098f6c266542234e46fb24b)

Signed-off-by: Divya Chellam &lt;divya.chellam@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>ruby: fix CVE-2024-39908</title>
<updated>2025-12-01T14:50:49+00:00</updated>
<author>
<name>Divya Chellam</name>
<email>divya.chellam@windriver.com</email>
</author>
<published>2025-11-20T09:37:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=7c4bd642e4ce30e2a7504fcd4fe12fca2f6b91e1'/>
<id>urn:sha1:7c4bd642e4ce30e2a7504fcd4fe12fca2f6b91e1</id>
<content type='text'>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some
DoS vulnerabilities when it parses an XML that has many specific characters
such as `&lt;`, `0` and `%&gt;`. If you need to parse untrusted XMLs, you many be
impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the
patches to fix these vulnerabilities. Users are advised to upgrade. Users
unable to upgrade should avoid parsing untrusted XML strings.

Reference:
https://security-tracker.debian.org/tracker/CVE-2024-39908

Upstream-patches:
https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420
https://github.com/ruby/rexml/commit/d146162e9a61574499d10428bc0065754cd26601
https://github.com/ruby/rexml/commit/b5bf109a599ea733663150e99c09eb44046b41dd
https://github.com/ruby/rexml/commit/b8a5f4cd5c8fe29c65d7a00e67170223d9d2b50e
https://github.com/ruby/rexml/commit/0af55fa49d4c9369f90f239a9571edab800ed36e
https://github.com/ruby/rexml/commit/c1b64c174ec2e8ca2174c51332670e3be30c865f
https://github.com/ruby/rexml/commit/9f1415a2616c77cad44a176eee90e8457b4774b6
https://github.com/ruby/rexml/commit/c33ea498102be65082940e8b7d6d31cb2c6e6ee2
https://github.com/ruby/rexml/commit/a79ac8b4b42a9efabe33a0be31bd82d33fd50347
https://github.com/ruby/rexml/commit/67efb5951ed09dbb575c375b130a1e469f437d1f
https://github.com/ruby/rexml/commit/1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2
https://github.com/ruby/rexml/commit/910e5a2b487cb5a30989884a39f9cad2cc499cfc

(From OE-Core rev: 6e0b70843422cd7cdb25a9e1520dd64bf701fea6)

Signed-off-by: Divya Chellam &lt;divya.chellam@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>ruby: fix CVE-2024-35176</title>
<updated>2025-12-01T14:50:49+00:00</updated>
<author>
<name>Divya Chellam</name>
<email>divya.chellam@windriver.com</email>
</author>
<published>2025-11-20T09:37:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=f58483837ce2ebfaf71ba4f8b75db5f6acc405a3'/>
<id>urn:sha1:f58483837ce2ebfaf71ba4f8b75db5f6acc405a3</id>
<content type='text'>
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a
denial of service vulnerability when it parses an XML that has many
`&lt;`s in an attribute value. Those who need to parse untrusted XMLs
may be impacted to this vulnerability. The REXML gem 3.2.7 or later
include the patch to fix this vulnerability. As a workaround, don't
parse untrusted XMLs.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-35176

Upstream-patch:
https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb

(From OE-Core rev: a89fcaf0c3ac2afd95e836bc1356832296135696)

Signed-off-by: Divya Chellam &lt;divya.chellam@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>ruby: correct fix for CVE-2024-43398</title>
<updated>2025-07-30T14:47:48+00:00</updated>
<author>
<name>Rob Woolley</name>
<email>rob.woolley@windriver.com</email>
</author>
<published>2025-07-24T20:12:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8fa7ff501e27a0ccd9bfc3f3e58a26949cdfc1f0'/>
<id>urn:sha1:8fa7ff501e27a0ccd9bfc3f3e58a26949cdfc1f0</id>
<content type='text'>
The previous fix for CVE-2024-43398 did not include patches
to provide context for the changes it made.

This caused an exception at run-time when ruby parsed
rexml/parsers/baseparser.rb. This was first observed when using
ruby-native to build the sdformat recipe.

With these additional backports, the sdformat build proceeds
successfully. The REXML library was also tested manually on-target
with a script that used REXML::Document.new file to parse an
XML file.

(From OE-Core rev: 6bf00fde2d4043c6b558733a33041ce5694342d3)

Signed-off-by: Rob Woolley &lt;rob.woolley@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>ruby: fix CVE-2025-27221</title>
<updated>2025-05-28T15:46:32+00:00</updated>
<author>
<name>Divya Chellam</name>
<email>divya.chellam@windriver.com</email>
</author>
<published>2025-05-23T13:23:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=32d2b233c6b194992c8125728d4230d748be0659'/>
<id>urn:sha1:32d2b233c6b194992c8125728d4230d748be0659</id>
<content type='text'>
In the URI gem before 1.0.3 for Ruby, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained even
after changing the host.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-27221

Upstream-patches:
https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495
https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5

(From OE-Core rev: c77ff1288719d90ef257dfe28cb33b3768fc124a)

Signed-off-by: Divya Chellam &lt;divya.chellam@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>ruby: fix CVE-2024-43398</title>
<updated>2025-04-18T15:30:51+00:00</updated>
<author>
<name>Divya Chellam</name>
<email>divya.chellam@windriver.com</email>
</author>
<published>2025-04-15T11:11:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=6eba29d9462a5833fbd49064ea32502c8da6405c'/>
<id>urn:sha1:6eba29d9462a5833fbd49064ea32502c8da6405c</id>
<content type='text'>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS
vulnerability when it parses an XML that has many deep elements that have
same local name attributes. If you need to parse untrusted XMLs with tree
parser API like REXML::Document.new, you may be impacted to this vulnerability.
If you use other parser APIs such as stream parser API and SAX2 parser API,
this vulnerability is not affected. The REXML gem 3.3.6 or later include the
patch to fix the vulnerability.

Reference:
https://security-tracker.debian.org/tracker/CVE-2024-43398

Upstream-patch:
https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3

(From OE-Core rev: f23d1bfca0ea57150c397bc2e495191fb61423d0)

Signed-off-by: Divya Chellam &lt;divya.chellam@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>ruby: Fix CVE-2025-27219</title>
<updated>2025-03-19T14:13:17+00:00</updated>
<author>
<name>Ashish Sharma</name>
<email>asharma@mvista.com</email>
</author>
<published>2025-03-13T10:16:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=ef3aca9b211d43774eb16bc0768102ac027e428e'/>
<id>urn:sha1:ef3aca9b211d43774eb16bc0768102ac027e428e</id>
<content type='text'>
Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab]

(From OE-Core rev: 31d67739490ec2abf92328b3f0ceff22ce5d4974)

Signed-off-by: Ashish Sharma &lt;asharma@mvista.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>ruby: Fix CVE-2025-27220</title>
<updated>2025-03-13T15:50:03+00:00</updated>
<author>
<name>Hitendra Prajapati</name>
<email>hprajapati@mvista.com</email>
</author>
<published>2025-03-07T06:14:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=fd0eb2db0e4eed6918d4f28b40d9963eb54c8de6'/>
<id>urn:sha1:fd0eb2db0e4eed6918d4f28b40d9963eb54c8de6</id>
<content type='text'>
Upstream-Status: Backport from https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6

(From OE-Core rev: 44665939783cb2b32f5ade1772e0ceef47f9a853)

Signed-off-by: Hitendra Prajapati &lt;hprajapati@mvista.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>ruby: fix CVE-2024-41946</title>
<updated>2025-02-24T15:00:53+00:00</updated>
<author>
<name>Divya Chellam</name>
<email>divya.chellam@windriver.com</email>
</author>
<published>2025-02-13T14:16:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=138ab1c7df95368efdc4b79d656f9f5b16a74b25'/>
<id>urn:sha1:138ab1c7df95368efdc4b79d656f9f5b16a74b25</id>
<content type='text'>
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS
vulnerability when it parses an XML that has many entity expansions
with SAX2 or pull parser API. The REXML gem 3.3.3 or later include
the patch to fix the vulnerability.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41946

Upstream-patch:
https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368

(From OE-Core rev: b0e74fd8922bba8e954a223ec46de5c33d2ff743)

Signed-off-by: Divya Chellam &lt;divya.chellam@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>ruby: fix CVE-2024-49761</title>
<updated>2025-01-18T14:21:02+00:00</updated>
<author>
<name>Divya Chellam</name>
<email>divya.chellam@windriver.com</email>
</author>
<published>2025-01-10T12:27:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=61c55b9e300785a953a62eca15f41c61973ce012'/>
<id>urn:sha1:61c55b9e300785a953a62eca15f41c61973ce012</id>
<content type='text'>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS
vulnerability when it parses an XML that has many digits between &amp;# and x...;
in a hex numeric character reference (&amp;#x.... This does not happen with
Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby.
The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

CVE-2024-49761-0009.patch is the CVE fix and rest are dependent commits.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-49761

Upstream-patch:
https://github.com/ruby/rexml/commit/810d2285235d5501a0a124f300832e6e9515da3c
https://github.com/ruby/rexml/commit/83ca5c4b0f76cf7b307dd1be1dc934e1e8199863
https://github.com/ruby/rexml/commit/51217dbcc64ecc34aa70f126b103bedf07e153fc
https://github.com/ruby/rexml/commit/7e4049f6a68c99c4efec2df117057ee080680c9f
https://github.com/ruby/rexml/commit/fc6cad570b849692a28f26a963ceb58edc282bbc
https://github.com/ruby/rexml/commit/77128555476cb0db798e2912fb3a07d6411dc320
https://github.com/ruby/rexml/commit/370666e314816b57ecd5878e757224c3b6bc93f5
https://github.com/ruby/rexml/commit/a579730f25ec7443796495541ec57c071b91805d
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f

(From OE-Core rev: 5b453400e9dd878b81b1447d14b3f518809de17e)

Signed-off-by: Divya Chellam &lt;divya.chellam@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
