From e0582bd87222ca2f2ae797852fe60b675a389aaf Mon Sep 17 00:00:00 2001 From: Shubham Shinde Date: Fri, 12 Jul 2024 23:16:12 +0530 Subject: [PATCH] (PA-6507) Update gem rexml from default to 3.2.9 for CVE-2024-35176 - The CVE was fixed from rexml version 3.2.7. - Patching for the CVE wasn't getting applied cleanly and had a lot of conflicts. So updated the gem version to 3.2.9 in the rexml component file. - rexml 3.2.7 requires strscan >= 3.0.9 which contains native extensions. We would need a compiler to build the extensions and there are jruby incompatibilities. This requirement has been relaxed starting from rexml 3.2.9. Therefore we update to rexml 3.2.9 here. - Added the change to _shared-agent-components since the CVE impacts both agent-runtime-main (ruby 3.2.4 using rexml 3.2.6) and agent-runtime-7.x (ruby 2.7.8 using rexml 3.2.3). --- configs/components/rubygem-rexml.rb | 4 ++-- configs/projects/_shared-agent-components.rb | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/configs/components/rubygem-rexml.rb b/configs/components/rubygem-rexml.rb index e983157aa..2dbeb7830 100644 --- a/configs/components/rubygem-rexml.rb +++ b/configs/components/rubygem-rexml.rb @@ -1,6 +1,6 @@ component 'rubygem-rexml' do |pkg, settings, platform| - pkg.version '3.2.6' - pkg.md5sum 'a57288ae5afed07dd08c9f1302da7b25' + pkg.version '3.2.9' + pkg.md5sum '73fcf4d686d68dafbca57f941097ebf0' instance_eval File.read('configs/components/_base-rubygem.rb') end diff --git a/configs/projects/_shared-agent-components.rb b/configs/projects/_shared-agent-components.rb index 6e722cc46..bcd2adc3c 100644 --- a/configs/projects/_shared-agent-components.rb +++ b/configs/projects/_shared-agent-components.rb @@ -61,6 +61,7 @@ proj.component 'rubygem-gettext' proj.component 'rubygem-fast_gettext' proj.component 'rubygem-ffi' +proj.component 'rubygem-rexml' if platform.is_windows? || platform.is_solaris? || platform.is_aix? proj.component 'rubygem-minitar'