来源:Ruby官网
发布日期:2021-04-05
阅读次数:5690
评论:0
更新标题
CVE-2021-28965: XML round-trip vulnerability in REXML
更新详情
There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2021-28965. We strongly recommend upgrading the REXML gem.
Details
When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.
Please update REXML gem to version 3.2.5 or later.
If you are using Ruby 2.6 or later:
Please use Ruby 2.6.7, 2.7.3, or 3.0.1.
Alternatively, you can use gem update rexml to update it. If you are using bundler, please add gem "rexml", ">= 3.2.5" to your Gemfile.
If you are using Ruby 2.5.8 or prior:
Please use Ruby 2.5.9.
You cannot use gem update rexml for Ruby 2.5.8 or prior.
Note that Ruby 2.5 series is now EOL, so please consider upgrading Ruby to 2.6.7 or later as soon as possible.
Affected versions
Ruby 2.5.8 or prior (You can NOT use gem upgrade rexml for this version.)
Ruby 2.6.7 or prior
Ruby 2.7.2 or prior
Ruby 3.0.1 or prior
REXML gem 3.2.4 or prior
Credits
Thanks to Juho Nurminen for discovering this issue.
History
Originally published at 2021-04-05 12:00:00 (UTC)
Posted by mame on 5 Apr 2021
软件描述
Ruby,一种简单快捷的面向对象(面向对象程序设计)脚本语言,在20世纪90年代由日本人松本行弘(Yukihiro Matsumoto)开发,遵守GPL协议和Ruby License.
评论