From 2bc540023c60e6e749ce9196fe966cf5865bc9d1 Mon Sep 17 00:00:00 2001 From: Bug Magnet Date: Wed, 28 Aug 2024 15:41:53 +0200 Subject: [PATCH 1/2] Update rexml for vulnerability issues --- ci/ios/upload-vm/Gemfile.lock | 2 +- ios/Gemfile.lock | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/ios/upload-vm/Gemfile.lock b/ci/ios/upload-vm/Gemfile.lock index da9e7d9f5ab4..3217ce338bc5 100644 --- a/ci/ios/upload-vm/Gemfile.lock +++ b/ci/ios/upload-vm/Gemfile.lock @@ -171,7 +171,7 @@ GEM trailblazer-option (>= 0.1.1, < 0.2.0) uber (< 0.2.0) retriable (3.1.2) - rexml (3.3.5) + rexml (3.3.6) strscan rouge (2.0.7) ruby2_keywords (0.0.5) diff --git a/ios/Gemfile.lock b/ios/Gemfile.lock index da9e7d9f5ab4..3217ce338bc5 100644 --- a/ios/Gemfile.lock +++ b/ios/Gemfile.lock @@ -171,7 +171,7 @@ GEM trailblazer-option (>= 0.1.1, < 0.2.0) uber (< 0.2.0) retriable (3.1.2) - rexml (3.3.5) + rexml (3.3.6) strscan rouge (2.0.7) ruby2_keywords (0.0.5) From 6c05bfccd213a68419b7d3204da1f896b7e66427 Mon Sep 17 00:00:00 2001 From: Bug Magnet Date: Thu, 29 Aug 2024 09:47:18 +0200 Subject: [PATCH 2/2] Revert "Ignore rexml CVE-2024-43398" This reverts commit 489f6160a62847e576a7170e8dc32f1cf12e8886. --- ci/ios/upload-vm/osv-scanner.toml | 8 -------- ios/osv-scanner.toml | 8 -------- 2 files changed, 16 deletions(-) delete mode 100644 ci/ios/upload-vm/osv-scanner.toml delete mode 100644 ios/osv-scanner.toml diff --git a/ci/ios/upload-vm/osv-scanner.toml b/ci/ios/upload-vm/osv-scanner.toml deleted file mode 100644 index 1a26a0cfe2b1..000000000000 --- a/ci/ios/upload-vm/osv-scanner.toml +++ /dev/null @@ -1,8 +0,0 @@ -# See repository root `osv-scanner.toml` for instructions and rules for this file. - -# rexml: The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML -# that has many deep elements that have same local name attributes. -[[IgnoredVulns]] -id = "CVE-2024-43398" # GHSA-952p-6rrq-rcjv -ignoreUntil = 2024-11-23 -reason = "rexml only parses trusted input (responses from Apple's APIs) in this code" diff --git a/ios/osv-scanner.toml b/ios/osv-scanner.toml deleted file mode 100644 index 1a26a0cfe2b1..000000000000 --- a/ios/osv-scanner.toml +++ /dev/null @@ -1,8 +0,0 @@ -# See repository root `osv-scanner.toml` for instructions and rules for this file. - -# rexml: The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML -# that has many deep elements that have same local name attributes. -[[IgnoredVulns]] -id = "CVE-2024-43398" # GHSA-952p-6rrq-rcjv -ignoreUntil = 2024-11-23 -reason = "rexml only parses trusted input (responses from Apple's APIs) in this code"