ruby and rubygem-rexml: patch CVE-2024-49761 #10935
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Patch adapted from ruby/rexml@ce59f2e which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 Needed for rubygem-rexml versions < 3.3.9 Signed-off-by: Saul Paredes <[email protected]>
Redent0r
changed the title
Redent0r
force-pushed
the
saulparedes/3.0/CVE-2024-49761
branch
from
d52bf59
to
d067f79
Compare
|
Able to install both on 3.0 container 
|
|
Double checked against https://dev.azure.com/mariner-org/mariner/_build/results?buildId=669633&view=ms.vss-test-web.build-test-results-tab and no new test failure regressions |
nicogbg
approved these changes
Nov 6, 2024
Patch adapted from ruby/rexml@ce59f2e which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 Needed for rubygem-rexml versions < 3.3.9 Signed-off-by: Saul Paredes <[email protected]>
Redent0r
force-pushed
the
saulparedes/3.0/CVE-2024-49761
branch
from
d067f79
to
11af426
Compare
anphel31
approved these changes
Nov 12, 2024
mbykhovtsev-ms
approved these changes
Nov 12, 2024
anphel31
reviewed
Nov 12, 2024
| @@ -408,6 +410,9 @@ sudo -u test make test TESTS="-v" | |||
| %{_rpmconfigdir}/rubygems.con | |||
|
|
|||
| %changelog | |||
| * Tue Nov 05 2024 Saul Paredes <[email protected]> - 3.1.4-3 | |||
There was a problem hiding this comment.
I think this version should be 3.3.3-3
anphel31
reviewed
Nov 12, 2024
| License: BSD | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Azure Linux | ||
| Group: Development/Languages | ||
| URL: https://github.com/ruby/rexml | ||
| Source0: https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz | ||
| Patch0: CVE-2024-49761.patch |
There was a problem hiding this comment.
Can you fix the indentation here?
anphel31
reviewed
Nov 12, 2024
| @@ -34,6 +35,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}- | |||
| %{gemdir} | |||
|
|
|||
| %changelog | |||
| * Tue Nov 05 2024 Saul Paredes <[email protected]> - 3.2.7-2 | |||
There was a problem hiding this comment.
This version looks wrong - shouldn't it be 3.3.4-2?
|
Closing as I'm including this patch fix in #10988 now to avoid conflicts |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Change Log
Does this affect the toolchain?
NO
Links to CVEs
Test Methodology
buddy build: