(PA-6507) Update gem rexml from default to 3.2.9 for CVE-2024-35176

- The CVE was fixed from rexml version 3.2.7. - Patching for the CVE wasn't getting applied cleanly and had a lot of conflicts. So updated the gem version to 3.2.9 in the rexml component file. - rexml 3.2.7 requires strscan >= 3.0.9 which contains native extensions. We would need a compiler to build the extensions and there are jruby incompatibilities. This requirement has been relaxed starting from rexml 3.2.9. Therefore we update to rexml 3.2.9 here. - Added the change to _shared-agent-components since the CVE impacts both agent-runtime-main (ruby 3.2.4 using rexml 3.2.6) and agent-runtime-7.x (ruby 2.7.8 using rexml 3.2.3).
puppetlabs · Jul 12, 2024 · e0582bd · e0582bd
1 parent 0014ae7
commit e0582bd
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/configs/components/rubygem-rexml.rb b/configs/components/rubygem-rexml.rb
@@ -1,6 +1,6 @@
 component 'rubygem-rexml' do |pkg, settings, platform|
-  pkg.version '3.2.6'
-  pkg.md5sum 'a57288ae5afed07dd08c9f1302da7b25'
+  pkg.version '3.2.9'
+  pkg.md5sum '73fcf4d686d68dafbca57f941097ebf0'
 
   instance_eval File.read('configs/components/_base-rubygem.rb')
 end
diff --git a/configs/projects/_shared-agent-components.rb b/configs/projects/_shared-agent-components.rb
@@ -61,6 +61,7 @@
 proj.component 'rubygem-gettext'
 proj.component 'rubygem-fast_gettext'
 proj.component 'rubygem-ffi'
+proj.component 'rubygem-rexml'
 
 if platform.is_windows? || platform.is_solaris? || platform.is_aix?
   proj.component 'rubygem-minitar'