commit by to_remotes 2024-10-29 08:02:56 +0100 from cicd

2024-10-29 08:02:56 +01:00 · 2024-10-29 08:02:56 +01:00 · feac0d64dc
parent e5ecc13675
commit feac0d64dc
4 changed files with 22 additions and 7 deletions
--- a/bundle-audit-time.txt
+++ b/bundle-audit-time.txt
@ -1 +1 @@
-2024-10-28T13:18:27+01:00
+2024-10-29T08:02:56+01:00
--- a/bundle-audit.json
+++ b/bundle-audit.json
@ -1 +1 @@
-{"version":"0.9.2","created_at":"2024-10-28 13:18:27 +0100","results":[]}
+{"version":"0.9.2","created_at":"2024-10-29 08:02:56 +0100","results":[{"type":"unpatched_gem","gem":{"name":"rexml","version":"3.3.7"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rexml/CVE-2024-49761.yml","id":"CVE-2024-49761","url":"https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m","title":"REXML ReDoS vulnerability","date":"2024-10-28","description":"## Impact\n\nThe REXML gem before 3.3.9 has a ReDoS vulnerability when it\nparses an XML that has many digits between `&#` and `x...;`\nin a hex numeric character reference (`&#x...;`).\n\nThis does not happen with Ruby 3.2 or later. Ruby 3.1 is the only\naffected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.\n\n## Patches\n\nThe REXML gem 3.3.9 or later include the patch to fix the vulnerability.\n\n## Workarounds\n\nUse Ruby 3.2 or later instead of Ruby 3.1.\n\n## References\n\n* https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761\n  * Announced on www.ruby-lang.org.\n","cvss_v2":null,"cvss_v3":null,"cve":"2024-49761","osvdb":null,"ghsa":"2rxp-v6pw-ch6m","unaffected_versions":[],"patched_versions":[">= 3.3.9"],"criticality":null}}]}
--- a/report.txt
+++ b/report.txt
@ -1 +1,10 @@
-No vulnerabilities found
+Name: rexml
 Version: 3.3.7
 CVE: CVE-2024-49761
 GHSA: GHSA-2rxp-v6pw-ch6m
 Criticality: Unknown
 URL: https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
 Title: REXML ReDoS vulnerability
 Solution: update to '>= 3.3.9'
 Vulnerabilities found!
--- a/update-info.txt
+++ b/update-info.txt
@ -1,7 +1,13 @@
 Updating ruby-advisory-db ...
-Already up to date.
+Updating c105c3f..8c2227f
 Fast-forward
 gems/mpxj/CVE-2024-49771.yml  | 35 +++++++++++++++++++++++++++++++++++
 gems/rexml/CVE-2024-49761.yml | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100644 gems/mpxj/CVE-2024-49771.yml
 create mode 100644 gems/rexml/CVE-2024-49761.yml
 Updated ruby-advisory-db
 ruby-advisory-db:
-  advisories:	943 advisories
+  advisories:	945 advisories
-  last updated:	2024-10-24 06:19:33 -0700
+  last updated:	2024-10-28 22:53:04 -0700
-  commit:	c105c3f736cac6427f0d59192ba186f760281493
+  commit:	8c2227f3ee57a054db75c1278ee7f5fd5a97b924
`@ -1 +1 @@`
	`2024-10-28T13:18:27+01:00`	`2024-10-29T08:02:56+01:00`
		`@ -1 +1 @@`
			`{"version":"0.9.2","created_at":"2024-10-28 13:18:27 +0100","results":[]}`				{"version":"0.9.2","created_at":"2024-10-29 08:02:56 +0100","results":[{"type":"unpatched_gem","gem":{"name":"rexml","version":"3.3.7"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rexml/CVE-2024-49761.yml","id":"CVE-2024-49761","url":"https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m","title":"REXML ReDoS vulnerability","date":"2024-10-28","description":"## Impact\n\nThe REXML gem before 3.3.9 has a ReDoS vulnerability when it\nparses an XML that has many digits between `&#` and `x...;`\nin a hex numeric character reference (`&#x...;`).\n\nThis does not happen with Ruby 3.2 or later. Ruby 3.1 is the only\naffected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.\n\n## Patches\n\nThe REXML gem 3.3.9 or later include the patch to fix the vulnerability.\n\n## Workarounds\n\nUse Ruby 3.2 or later instead of Ruby 3.1.\n\n## References\n\n* https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761\n * Announced on www.ruby-lang.org.\n","cvss_v2":null,"cvss_v3":null,"cve":"2024-49761","osvdb":null,"ghsa":"2rxp-v6pw-ch6m","unaffected_versions":[],"patched_versions":[">= 3.3.9"],"criticality":null}}]}