🚨 [security] [ruby] Update rexml 3.3.7 → 3.3.9 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ rexml (indirect, 3.3.7 → 3.3.9) · Repo · Changelog

Security Advisories 🚨

🚨 REXML ReDoS vulnerability

Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

References

• https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org

Release Notes

3.3.9

Improvements

• Improved performance.
  • GH-210
  • Patch by NAITOH Jun.

Fixes

• Fixed a parse bug for text only invalid XML.

  • GH-215
  • Patch by NAITOH Jun.

• Fixed a parse bug that &#0x...; is accepted as a character
  reference.

Thanks

• NAITOH Jun

3.3.8

Improvements

• SAX2: Improve parse performance.
  • GH-207
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that unexpected attribute namespace conflict error for
  the predefined "xml" namespace is reported.
  • GH-208
  • Patch by KITAITI Makoto

Thanks

• NAITOH Jun

• KITAITI Makoto

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• Add 3.3.9 entry
• parser: fix a bug that &#0x...; is accepted as a character reference
• test: fix indent
• Fix `IOSource#readline` for `@pending_buffer` (#215)
• Optimize `IOSource#read_until` method (#210)
• Bump version
• test: avoid using needless non ASCII characters
• Add 3.3.8 entry
• Fix handling with "xml:" prefixed namespace (#208)
• Optimize SAX2Parser#get_namespace (#207)
• Bump version

↗️ avo (indirect, 3.13.6 → 3.13.7) · Repo · Changelog

Release Notes

3.13.7

Release notes

More information and release video here

🎸 Features

• ✨ Password: add reveal property @RocKhalil (#3341)

✨ Enhancements

• boolean group and checkbox improvements @adrianthedev (#3279)
• Check #email_address for sidebar name @tumes (#3340)
• Made the send_keys helper work in selenium as well as cuprite @iainbeeston (#3328)
• ✨ Controls placement on resource level @RocKhalil (#3320)

🐛 Bug Fixes

• fix: scopes reset pagination @Paul-Bob (avo-advanced #49)
• fix: implicit_authorization on default authorization service @Paul-Bob (#3355)

🤖 Maintenance

• chore: update view_component to 3.17.0 @Paul-Bob (#3350)

💡 Refactor

• refactor: rename implicit_authorization to explicit_authorization @Paul-Bob (#3356 & avo-pro #94)
• Made TestHelpers include methods from WaitForLoaded @iainbeeston (#3325)

For more information, check out Avo's release notes page

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• Bumped avo to 3.13.7
• ✨ Password: add reveal property (#3341)
• refactor: rename `implicit_authorization` to `explicit_authorization` (#3356)
• fix: implicit_authorization on default authorization service (#3355)
• refactor: boolean group and checkbox improvements (#3279)
• chore: update `view_component` to `3.17.0` (#3350)
• Check #email_address for sidebar name (#3340)
• Made the send_keys helper work in selenium as well as cuprite (#3328)
• ✨ Controls placement on resource level (#3320)
• Made TestHelpers include methods from WaitForLoaded (#3325)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codeclimate]

Code Climate has analyzed commit 0c9c42d and detected 0 issues on this pull request.

View more on Code Climate.

[github-actions]

This PR has been merged into main. The functionality will be available in the next release.

Please check the release guide for more information.