Bug #21632: Backport REXML CVE-2025-58767 fix - Ruby - Ruby Issue Tracking System

Actions

Copy link

Bug #21632

closed

Backport REXML CVE-2025-58767 fix

Added by Bo98 (Bo Anderson) 1 day ago. Updated about 19 hours ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

Backport:

3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN

[ruby-core:<unknown>]

Description

Even though it's a bundled gem and not a default gem, it would be worthwhile backporting the fix for CVE-2025-58767 (https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/).

Ruby 3.4 PR: https://github.com/ruby/ruby/pull/14795
Ruby 3.3 PR: https://github.com/ruby/ruby/pull/14796

I'm not sure what to do for Ruby 3.2. It's a security fix so it qualifies for a backport, but there's other changes included in a version bump. Do we need a rexml 3.3.9.1?

Actions

Copy link

Updated by Anonymous about 19 hours ago

Status changed from Open to Closed

Applied in changeset git|a841c313c50e7ebf74df6e940334c34c68145270.

Update rexml to 3.4.4 for Ruby 3.4 (CVE-2025-58767) (#14795)

Update rexml to 3.4.4

[Backport #21632]

Actions

Copy link

Also available in: Atom PDF

Like0

Project

General

Profile

Ruby

Tags

Custom queries

Bug #21632

Backport REXML CVE-2025-58767 fix

Updated by Anonymous about 19 hours ago