From b5de92fd060560a57a28b2ae41d13bcba4907b76 Mon Sep 17 00:00:00 2001 From: Shubham Shinde Date: Fri, 12 Jul 2024 02:50:51 +0530 Subject: [PATCH] (PA-6507) Update gem rexml from default to 3.2.7 for CVE-2024-35176 - The CVE was mitigated from rexml version 3.2.7. - Patching for the CVE wasn't getting applied cleanly and had a lot of conflicts. So updated the gem version to 3.2.7 in the rexml component file. - Added the change to _shared-agent-components since the CVE impacts both agent-runtime-main (ruby 3.2.4 using rexml 3.2.6) and agent-runtime-7.x (ruby 2.7.8 using rexml 3.2.3). - Added rubygems-strscan component with version 3.0.9 because rexml 3.2.7 requires strscan 3.0.9 but agent-runtime rubies come with older version of it. --- configs/components/rubygem-rexml.rb | 4 ++-- configs/components/rubygem-strscan.rb | 7 +++++++ configs/projects/_shared-agent-components.rb | 3 +++ 3 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 configs/components/rubygem-strscan.rb diff --git a/configs/components/rubygem-rexml.rb b/configs/components/rubygem-rexml.rb index e983157aa..8c4588acd 100644 --- a/configs/components/rubygem-rexml.rb +++ b/configs/components/rubygem-rexml.rb @@ -1,6 +1,6 @@ component 'rubygem-rexml' do |pkg, settings, platform| - pkg.version '3.2.6' - pkg.md5sum 'a57288ae5afed07dd08c9f1302da7b25' + pkg.version '3.2.7' + pkg.md5sum '78ddb64f45975a40e5d6b644e12aba32' instance_eval File.read('configs/components/_base-rubygem.rb') end diff --git a/configs/components/rubygem-strscan.rb b/configs/components/rubygem-strscan.rb new file mode 100644 index 000000000..e8fdc2e54 --- /dev/null +++ b/configs/components/rubygem-strscan.rb @@ -0,0 +1,7 @@ +component 'rubygem-rexml' do |pkg, settings, platform| + pkg.version '3.0.9' + pkg.md5sum '712528845b4f24bb15989f8964b99cc4' + + instance_eval File.read('configs/components/_base-rubygem.rb') + end + \ No newline at end of file diff --git a/configs/projects/_shared-agent-components.rb b/configs/projects/_shared-agent-components.rb index 6e722cc46..3ffed64d9 100644 --- a/configs/projects/_shared-agent-components.rb +++ b/configs/projects/_shared-agent-components.rb @@ -69,3 +69,6 @@ if platform.is_macos? proj.component 'rubygem-CFPropertyList' end + +proj.component 'rubygem-strscan' +proj.component 'rubygem-rexml'