(PA-6507)(PA-6736) Gem install rexml to 3.3.2 for CVE-2024-35176 and … #882
Conversation
…VE-2024-39908 in 7.x - The CVEs were fixed from rexml version 3.2.7 (CVE-2024-35176) and 3.3.2 (CVE-2024-39908). - Patching for the CVE wasn't getting applied cleanly and had a lot of conflicts. So updated the gem version to 3.3.2 in the rexml component file. - This addresses the CVEs for 7.x. - For solaris-10-sparc and solaris-11-sparc, we ignore dependency when installing rexml since the ruby in these platforms tries to install strscan (rexml's dependency) but fails while building native extensions. We can ignore installing strscan since it is shipped with ruby 2.7.8 as its default gem.
|
Ran impacted projects for all applicable platforms: agent-runtime-7.x: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3109/ solaris-11-sparc failed due to xz package version getting updated upstream. pe-bolt-server-runtime-main: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3110/ |
|
We will be upgrading to ruby 3.2.5 to address the CVEs in main. |
|
It looks good to me, though somewhat unrelated to your PR, why does pe-bolt-server-runtime include the rexml gem component? It's a bundled gem in ruby 3.2 so seems unnecessary to be explicitly added. Ah it looks like it was added in f29521d in order to be compatible with JRuby 9.4. So we'll need to get approval from skeletor to merge this. If it's ok to bump rexml for pe-bolt-server-runtime-main, could you update your commit message? If we don't want to bump rexml for pe-bolt-server-runtime-main, then we should allow the version to be passed in. Have it default to the latest version and update pe-bolt-server-runtime-main to pass in the older version. Note how we override |
…CVE-2024-39908 in 7.x