up rexml to a version that doesnt include the ddos vulnerability

[jeremiahlukus]

REXML contains a denial of service vulnerability (CVE-2024-35176)

Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value. If you need to parse untrusted XMLs, you many be impacted to this vulnerability. ### Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. ### Workarounds Don't parse untrusted XMLs. ### References * https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

^ pasted from NewRelic

[monicao]

It looks like more vulnerabilities were found since May.

Consider bumping the version of rexml to '>= 3.3.6', because this CVE-2024-43398 reports the DoS vulnerability is there in prior versions.

[jeremiahlukus]

I would if it would get merged since this didnt get merged its unlikely another version bump will.

[etherz10]

@gettalong Any chance of bumping the minimum rexml version required to 3.3.6 and then merging this?

[gettalong]

I have changed the version to >= 3.3.6 and will do a release within a week.

[etherz10]

@gettalong I see you've just made a 2.5.0 release that requires 3.3.6 but theres a CVE thats been fixed in 3.3.9 -- Could you do a .1 release and bump that dep again please?

https://nvd.nist.gov/vuln/detail/CVE-2024-49761

[gettalong]

@etherz10 I have just pushed kramdown 2.5.1 with the necessary change.

[jeremiahlukus]

Thanks man!

[etherz10]

champion, thank you