Hello ,
We’re running Rocky Linux 9.2 and having below versions of ruby .
ruby-libs-3.0.7-165.el9_5.x86_64
rubygem-psych-3.3.2-165.el9_5.x86_64
rubygems-3.2.33-165.el9_5.noarch
ruby-3.0.7-165.el9_5.x86_64
rubygem-json-2.5.1-165.el9_5.x86_64
rubygem-rexml-3.2.5-165.el9_5.noarch
Can you confirm if the following CVEs are fixed in these RPMs (ruby - 3.0)?
Are these already patched to 3.0 , need to find advisories for same .
- CVE-2024-27280 (StringIO)
- CVE-2024-27281 (RDoc)
- CVE-2024-27282 (Regex)
- CVE-2024-41123 (REXML)
- CVE-2024-41946 (REXML)
- CVE-2024-43398
- CVE-2024-39908
If not all are fixed, is installing rexml >= 3.3.3 via gem install the recommended workaround?
Thanks,
Akash.
The first thing to do is to update your Rocky Linux to the latest version, which is 9.6, which will (among many other things), mitigate some security vulnerabilities other than those you list here.
You can run “dnf upgrade” as the root user to accomplish this task.
After that, see what versions of Ruby-whatever are current with your updated installation and go on from there.
1 Like
First you run dnf up to get Rocky 9.6 as that is currently the only supported Rocky 9.
Then you can look changelogs, e.g.
rpm -q --changelog ruby-libs | grep -i cve-2024
If your CVE’s are mentioned there, then they are fixed (for that package).
If they are not mentioned, then you have to go to Red Hat’s pages to see whether they consider RHEL 9 “not affected” by particular CVE.