Bug #21632
closed
Backport REXML CVE-2025-58767 fix
Description
Even though it's a bundled gem and not a default gem, it would be worthwhile backporting the fix for CVE-2025-58767 (https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/).
Ruby 3.4 PR: https://github.com/ruby/ruby/pull/14795
Ruby 3.3 PR: https://github.com/ruby/ruby/pull/14796
I'm not sure what to do for Ruby 3.2. It's a security fix so it qualifies for a backport, but there's other changes included in a version bump. Do we need a rexml 3.3.9.1?
Updated by Anonymous 21 days ago
- Status changed from Open to Closed
Applied in changeset git|a841c313c50e7ebf74df6e940334c34c68145270.
Update rexml to 3.4.4 for Ruby 3.4 (CVE-2025-58767) (#14795)
Update rexml to 3.4.4
[Backport #21632]
Updated by naitoh (Jun NAITOH) 17 days ago
- Status changed from Closed to Feedback
- Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: REQUIRED, 3.3: DONE, 3.4: DONE
I'm not sure what to do for Ruby 3.2. It's a security fix so it qualifies for a backport, but there's other changes included in a version bump.
I am a maintainer of REXML.
Ruby 3.2 is subject to security fixes, so I believe an update is necessary.
I created this PR.
Updated by naitoh (Jun NAITOH) 14 days ago
- Status changed from Feedback to Closed
- Backport changed from 3.2: REQUIRED, 3.3: DONE, 3.4: DONE to 3.2: DONE, 3.3: DONE, 3.4: DONE
Merged.