Update REXML to fix DoS Vulnerability (CVE-2024-35176) #947
Comments
|
It's worse now. New CVE: https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/ This needs to be resolved. |
|
Added PR: #948 |
|
Urgently needs releasing to address the vulnerability. |
|
When can we expect a release with this change? |
|
The PR was already merged, any idea when should we expect to have a new release? |
|
Seconding the request for a release at the earliest convenience– my enterprise team is running into security warnings related to this rexml dependency, so it would be hugely helpful to have a new version released with the recently updated constraint. Thanks to the maintainers for the prompt handling of the relevant PR! |
|
Thirding the request, or at least a request for a timeline, for the same reasons. |
|
Please release a numbered version with the merged dependency update. The latest version of this library, 1.24.0, is still vulnerable. |
|
Please release a numbered version with the merged dependency update. |
|
For anybody still struggling with this, you can point your This worked fine in my case: source 'https://rubygems.org'
ruby '>= 2.6.10'
gem 'cocoapods', '>= 1.15.2'
gem 'xcodeproj', '~> 1.24', git: 'https://github.com/CocoaPods/Xcodeproj.git'
gem "rexml", "~> 3.3.2"Once a new version is release, just remove the |
|
Unfortunately, many of us are exposed to this vulnerability through Fastlane's use of xcodeproj as a dependency. Looking forward to the next numbered release with bated breath! |
|
@amorde Hola Eric! Is there a chance we could get new release out asap? |
|
The fix for this was released in 1.25.0. |
Hi team,
There's a DoS vulnerability in
rexmlbefore version 3.2.7. It affectsxcodeprojthroughfastlane. Can you updaterexmlto version 3.2.7 or later?More details: ruby-lang.org.
Thanks!
The text was updated successfully, but these errors were encountered: