[Security] Bump rexml from 3.2.4 to 3.2.5

[dependabot-preview]

Bumps rexml from 3.2.4 to 3.2.5. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

XML round-trip vulnerability in REXML When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one.

Patched versions: >= 3.2.5 Unaffected versions: none

Changelog

Sourced from rexml's changelog.

3.2.5 - 2021-04-05 {#version-3-2-5}

Improvements

• Add more validations to XPath parser.

• require "rexml/docuemnt" by default. [GitHub#36][Patch by Koichi ITO]

• Don't add #dcloe method to core classes globally. [GitHub#37][Patch by Akira Matsuda]

• Add more documentations. [Patch by Burdette Lamar]

• Added REXML::Elements#parent. [GitHub#52][Patch by Burdette Lamar]

Fixes

• Fixed a bug that REXML::DocType#clone doesn't copy external ID information.

• Fixed round-trip vulnerability bugs. See also: https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/ [HackerOne#1104077][CVE-2021-28965][Reported by Juho Nurminen]

Thanks

• Koichi ITO

• Akira Matsuda

• Burdette Lamar

• Juho Nurminen

Commits

• a622645 Add 3.2.5 entry
• 3c137eb Fix a parser bug that some data may be ignored before DOCTYPE
• 9b311e5 Fix a bug that invalid document declaration may be accepted
• f9d88e4 Fix a bug that invalid document declaration may be generated
• f7bab89 Fix a bug that invalid element end may be accepted
• 6a250d2 Fix a bug that invalid element start may be accepted
• 2fe62e2 Fix a bug that invalid notation declaration may be accepted
• a659c63 Fix a bug that invalid notation declaration may be generated
• 790dd11 Use ruby/setup-ruby (#66)
• eda1b20 Clean up and enhance high-level RDoc (#65)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[coveralls]

Coverage remained the same at 100.0% when pulling d4082cb on dependabot/bundler/rexml-3.2.5 into 98caf63 on master.