Are these Ruby CVEs fixed in Rocky Linux 9.2?

Hello ,

We’re running Rocky Linux 9.2 and having below versions of ruby .
ruby-libs-3.0.7-165.el9_5.x86_64
rubygem-psych-3.3.2-165.el9_5.x86_64
rubygems-3.2.33-165.el9_5.noarch
ruby-3.0.7-165.el9_5.x86_64
rubygem-json-2.5.1-165.el9_5.x86_64
rubygem-rexml-3.2.5-165.el9_5.noarch

Can you confirm if the following CVEs are fixed in these RPMs (ruby - 3.0)?
Are these already patched to 3.0 , need to find advisories for same .

• CVE-2024-27280 (StringIO)
• CVE-2024-27281 (RDoc)
• CVE-2024-27282 (Regex)
• CVE-2024-41123 (REXML)
• CVE-2024-41946 (REXML)
• CVE-2024-43398
• CVE-2024-39908

If not all are fixed, is installing rexml >= 3.3.3 via gem install the recommended workaround?

Thanks,
Akash.

The first thing to do is to update your Rocky Linux to the latest version, which is 9.6, which will (among many other things), mitigate some security vulnerabilities other than those you list here.

You can run “dnf upgrade” as the root user to accomplish this task.

After that, see what versions of Ruby-whatever are current with your updated installation and go on from there.

First you run dnf up to get Rocky 9.6 as that is currently the only supported Rocky 9.

Then you can look changelogs, e.g.

rpm -q --changelog ruby-libs | grep -i cve-2024

If your CVE’s are mentioned there, then they are fixed (for that package).

If they are not mentioned, then you have to go to Red Hat’s pages to see whether they consider RHEL 9 “not affected” by particular CVE.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.