Created by: dependabot-preview[bot]
Bumps rexml from 3.2.4 to 3.2.5. This update includes a security fix.
Vulnerabilities fixed
Sourced from The Ruby Advisory Database.
XML round-trip vulnerability in REXML When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one.
Patched versions: >= 3.2.5 Unaffected versions: none
Changelog
Sourced from rexml's changelog.
3.2.5 - 2021-04-05 {#version-3-2-5}
Improvements
Add more validations to XPath parser.
require "rexml/docuemnt"
by default. [GitHub#36][Patch by Koichi ITO]Don't add
#dcloe
method to core classes globally. [GitHub#37][Patch by Akira Matsuda]Add more documentations. [Patch by Burdette Lamar]
Added
REXML::Elements#parent
. [GitHub#52][Patch by Burdette Lamar]Fixes
Fixed a bug that
REXML::DocType#clone
doesn't copy external ID information.Fixed round-trip vulnerability bugs. See also: https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/ [HackerOne#1104077][CVE-2021-28965][Reported by Juho Nurminen]
Thanks
Koichi ITO
Akira Matsuda
Burdette Lamar
Juho Nurminen
Commits
-
a622645
Add 3.2.5 entry -
3c137eb
Fix a parser bug that some data may be ignored before DOCTYPE -
9b311e5
Fix a bug that invalid document declaration may be accepted -
f9d88e4
Fix a bug that invalid document declaration may be generated -
f7bab89
Fix a bug that invalid element end may be accepted -
6a250d2
Fix a bug that invalid element start may be accepted -
2fe62e2
Fix a bug that invalid notation declaration may be accepted -
a659c63
Fix a bug that invalid notation declaration may be generated -
790dd11
Use ruby/setup-ruby (#66) -
eda1b20
Clean up and enhance high-level RDoc (#65) - Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -
@dependabot use these labels
will set the current labels as the default for future PRs for this repo and language -
@dependabot use these reviewers
will set the current reviewers as the default for future PRs for this repo and language -
@dependabot use these assignees
will set the current assignees as the default for future PRs for this repo and language -
@dependabot use this milestone
will set the current milestone as the default for future PRs for this repo and language -
@dependabot badge me
will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot dashboard:
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)