diff --git a/configs/components/_base-rubygem.rb b/configs/components/_base-rubygem.rb index a5614b81b..0d16ecbe6 100644 --- a/configs/components/_base-rubygem.rb +++ b/configs/components/_base-rubygem.rb @@ -40,13 +40,13 @@ # If a gem needs more command line options to install set the :gem_install_options # in its component file rubygem-, before the instance_eval of this file. gem_install_options = settings["#{pkg.get_name}_gem_install_options".to_sym] -if gem_install_options.nil? - pkg.install do - "#{settings[:gem_install]} #{name}-#{version}.gem" - end -else - pkg.install do - "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}" - end +remove_older_versions = settings["#{pkg.get_name}_remove_older_versions".to_sym] +pkg.install do + steps = [] + steps << "#{settings[:gem_uninstall]} #{name}" if remove_older_versions + steps << if gem_install_options.nil? + "#{settings[:gem_install]} #{name}-#{version}.gem" + else + "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}" + end end - diff --git a/configs/components/rubygem-rexml.rb b/configs/components/rubygem-rexml.rb index 48b0ff231..c58758bff 100644 --- a/configs/components/rubygem-rexml.rb +++ b/configs/components/rubygem-rexml.rb @@ -2,6 +2,8 @@ pkg.version '3.3.4' pkg.md5sum 'b7411377f3c1a9cbe65e862f74067f91' + settings["#{pkg.get_name}_remove_older_versions".to_sym] = true + # If the platform is solaris with sparc architecture in agent-runtime-7.x project, we want to gem install rexml # ignoring the dependencies, this is because the pl-ruby version used in these platforms is ancient so it gets # confused when installing rexml. It tries to install rexml's dependency 'strscan' by building native extensions diff --git a/configs/projects/_shared-agent-components.rb b/configs/projects/_shared-agent-components.rb index 6e722cc46..bbcc60c9e 100644 --- a/configs/projects/_shared-agent-components.rb +++ b/configs/projects/_shared-agent-components.rb @@ -62,6 +62,12 @@ proj.component 'rubygem-fast_gettext' proj.component 'rubygem-ffi' +# We add rexml explicitly in here because even though ruby 3 ships with rexml as its default gem, the version +# of rexml it ships with contains CVE-2024-41946, CVE-2024-41123, CVE-2024-35176 and CVE-2024-39908. +# So, we add it here to update to a higher version +# free from the CVEs. +proj.component 'rubygem-rexml' + if platform.is_windows? || platform.is_solaris? || platform.is_aix? proj.component 'rubygem-minitar' end diff --git a/configs/projects/_shared-agent-settings.rb b/configs/projects/_shared-agent-settings.rb index 22d76367f..f9d45724f 100644 --- a/configs/projects/_shared-agent-settings.rb +++ b/configs/projects/_shared-agent-settings.rb @@ -131,6 +131,7 @@ end proj.setting(:gem_install, "#{proj.host_gem} install --no-rdoc --no-ri --local ") +proj.setting(:gem_uninstall, "#{proj.host_gem} uninstall --all --ignore-dependencies ") # For AIX, we use the triple to install a better rbconfig if platform.is_aix? diff --git a/configs/projects/agent-runtime-7.x.rb b/configs/projects/agent-runtime-7.x.rb index 1d55aeec8..93f45363a 100644 --- a/configs/projects/agent-runtime-7.x.rb +++ b/configs/projects/agent-runtime-7.x.rb @@ -61,11 +61,6 @@ proj.component 'rubygem-thor' proj.component 'rubygem-scanf' - # We add rexml explicitly in here because even though ruby 2 ships with rexml as its default gem, the version - # of rexml it ships with contains CVE-2024-35176 and CVE-2024-39908. So, we add it here to update to a higher version - # free from the CVEs. - proj.component 'rubygem-rexml' - if platform.is_linux? proj.component "virt-what" proj.component "dmidecode" unless platform.architecture =~ /ppc64/