Add advisory for CVE-2025-58767 (DoS vulnerability in REXML) #937
Conversation
hudakh
force-pushed
the
CVE-2025-58767
branch
from
f2af530 to
64506e2
Compare
|
We already have this advisory as gems/rexml/CVE-2025-58767.yml. Also, the |
Thanks for the review. I wanted to clarify the rationale for adding a rubies/ruby entry in this case. After checking the repository, there are already multiple CVEs that exist in both rubies/ruby and gems/*, for example: CVE-2009-4492 These duplicates suggest that the repository has historically represented some vulnerabilities at both the Ruby implementation level and the gem level, particularly for bundled stdlib components. You reviewed the last two for me too! Is the current policy is to avoid new duplication? If that’s the case, it might be helpful to document this expectation (or clean up existing duplicates) to avoid future confusion. Please let me know how you’d prefer to handle this going forward. As for ruby 3.2.10 and 3.3.11, the PRs to update the gem in ruby 3.2 and 3.3 have been merged, but new versions of ruby haven't been released yet. I added this in the notes section as I wasn't sure how to handle it. |
|
OK, CVE-2025-61594 is mentioned in the 3.4.8 release notes. If a new version of Ruby was released to address a CVE, then we do need an advisory in the |
| The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities. | ||
|
|
||
| patched_versions: | ||
| - ">= 3.2.10" |
There was a problem hiding this comment.
Ruby 3.2.10 has not been released (yet).
|
|
||
| patched_versions: | ||
| - ">= 3.2.10" | ||
| - ">= 3.3.11" |
There was a problem hiding this comment.
Ruby 3.3.11 has not been released (yet).
3 participants
CVE-2025-58767 advisory rubies/ruby/CVE-2025-58767