Skip to content

Commit 4c48fe0

Browse files
saimekala07saimekala07
committed
security: Fix CVE-2025-58767 - Update REXML to 3.4.4
- Add rexml >= 3.4.2 constraint to gemspec - Update Gemfile.lock with rexml 3.4.4 (was 3.2.5) - Fixes DoS vulnerability in XML parsing - Aligns with security updates across dchbx repositories
1 parent 24917a6 commit 4c48fe0

File tree

3 files changed

+54
-43
lines changed

3 files changed

+54
-43
lines changed

.ruby-version

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
3.2.1
1+
3.2.5

Gemfile.lock

Lines changed: 51 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ PATH
2121
nokogiri (>= 1.13.0)
2222
oj (~> 3.11)
2323
ox (~> 2.14)
24+
rexml (>= 3.4.2)
2425
typhoeus (~> 1.4.0)
2526

2627
GEM
@@ -87,12 +88,13 @@ GEM
8788
zeitwerk (~> 2.3)
8889
addressable (2.8.0)
8990
public_suffix (>= 2.0.2, < 5.0)
90-
amq-protocol (2.3.2)
91+
amq-protocol (2.3.4)
9192
ast (2.4.2)
93+
bigdecimal (3.2.3)
9294
bson (4.12.1)
9395
builder (3.2.4)
94-
bunny (2.19.0)
95-
amq-protocol (~> 2.3, >= 2.3.1)
96+
bunny (2.24.0)
97+
amq-protocol (~> 2.3)
9698
sorted_set (~> 1, >= 1.0.2)
9799
byebug (11.1.3)
98100
coderay (1.1.3)
@@ -106,34 +108,32 @@ GEM
106108
activerecord (>= 5.a)
107109
database_cleaner-core (~> 2.0.0)
108110
database_cleaner-core (2.0.1)
109-
deep_merge (1.2.1)
111+
deep_merge (1.2.2)
110112
diff-lcs (1.4.4)
111-
dry-configurable (0.12.1)
113+
dry-configurable (0.15.0)
112114
concurrent-ruby (~> 1.0)
113-
dry-core (~> 0.5, >= 0.5.0)
114-
dry-container (0.8.0)
115+
dry-core (~> 0.6)
116+
dry-container (0.11.0)
115117
concurrent-ruby (~> 1.0)
116-
dry-configurable (~> 0.1, >= 0.1.3)
117-
dry-core (0.7.1)
118+
dry-core (0.8.1)
118119
concurrent-ruby (~> 1.0)
119-
dry-equalizer (0.3.0)
120120
dry-events (0.3.0)
121121
concurrent-ruby (~> 1.0)
122122
dry-core (~> 0.5, >= 0.5)
123-
dry-inflector (0.2.1)
124-
dry-initializer (3.0.4)
123+
dry-inflector (0.3.0)
124+
dry-initializer (3.2.0)
125125
dry-logic (1.2.0)
126126
concurrent-ruby (~> 1.0)
127127
dry-core (~> 0.5, >= 0.5)
128128
dry-monads (1.4.0)
129129
concurrent-ruby (~> 1.0)
130130
dry-core (~> 0.7)
131-
dry-schema (1.6.2)
131+
dry-schema (1.10.6)
132132
concurrent-ruby (~> 1.0)
133-
dry-configurable (~> 0.8, >= 0.8.3)
133+
dry-configurable (~> 0.13, >= 0.13.0)
134134
dry-core (~> 0.5, >= 0.5)
135135
dry-initializer (~> 3.0)
136-
dry-logic (~> 1.0)
136+
dry-logic (~> 1.2)
137137
dry-types (~> 1.5)
138138
dry-struct (1.4.0)
139139
dry-core (~> 0.5, >= 0.5)
@@ -145,15 +145,14 @@ GEM
145145
dry-core (~> 0.5, >= 0.5)
146146
dry-inflector (~> 0.1, >= 0.1.2)
147147
dry-logic (~> 1.0, >= 1.0.2)
148-
dry-validation (1.6.0)
148+
dry-validation (1.8.1)
149149
concurrent-ruby (~> 1.0)
150150
dry-container (~> 0.7, >= 0.7.1)
151-
dry-core (~> 0.4)
152-
dry-equalizer (~> 0.2)
151+
dry-core (~> 0.5, >= 0.5)
153152
dry-initializer (~> 3.0)
154-
dry-schema (~> 1.5, >= 1.5.2)
153+
dry-schema (~> 1.8, >= 1.8.0)
155154
erubi (1.10.0)
156-
ethon (0.15.0)
155+
ethon (0.17.0)
157156
ffi (>= 1.15.0)
158157
faker (2.18.0)
159158
i18n (>= 1.6, < 2)
@@ -166,48 +165,57 @@ GEM
166165
multipart-post (>= 1.2, < 3)
167166
ruby2_keywords (>= 0.0.4)
168167
faraday-em_http (1.0.0)
169-
faraday-em_synchrony (1.0.0)
168+
faraday-em_synchrony (1.0.1)
170169
faraday-excon (1.1.0)
171-
faraday-net_http (1.0.1)
170+
faraday-net_http (1.0.2)
172171
faraday-net_http_persistent (1.2.0)
173-
faraday_middleware (1.2.0)
172+
faraday_middleware (1.2.1)
174173
faraday (~> 1.0)
175-
ffi (1.15.4)
174+
ffi (1.17.2)
176175
globalid (0.5.2)
177176
activesupport (>= 5.0)
178177
hashdiff (1.0.1)
179178
i18n (1.8.10)
180179
concurrent-ruby (~> 1.0)
181180
ice_nine (0.11.2)
182181
little-plugger (1.1.4)
183-
logging (2.3.0)
182+
logger (1.7.0)
183+
logging (2.3.1)
184184
little-plugger (~> 1.1)
185185
multi_json (~> 1.14)
186-
loofah (2.12.0)
186+
loofah (2.24.1)
187187
crass (~> 1.0.2)
188-
nokogiri (>= 1.5.9)
188+
nokogiri (>= 1.12.0)
189189
mail (2.7.1)
190190
mini_mime (>= 0.1.1)
191191
marcel (1.0.2)
192192
method_source (1.0.0)
193-
mime-types (3.3.1)
194-
mime-types-data (~> 3.2015)
195-
mime-types-data (3.2021.0901)
193+
mime-types (3.7.0)
194+
logger
195+
mime-types-data (~> 3.2025, >= 3.2025.0507)
196+
mime-types-data (3.2025.0916)
196197
mini_mime (1.1.2)
197-
mini_portile2 (2.8.1)
198+
mini_portile2 (2.8.9)
198199
minitest (5.14.4)
199200
mongo (2.14.0)
200201
bson (>= 4.8.2, < 5.0.0)
201202
mongoid (7.3.0)
202203
activemodel (>= 5.1, < 6.2)
203204
mongo (>= 2.10.5, < 3.0.0)
204-
multi_json (1.15.0)
205-
multipart-post (2.1.1)
205+
multi_json (1.17.0)
206+
multipart-post (2.4.1)
206207
mustermann (1.1.1)
207208
ruby2_keywords (~> 0.0.1)
208209
nio4r (2.5.8)
209-
oj (3.13.9)
210-
ox (2.14.5)
210+
nokogiri (1.18.10)
211+
mini_portile2 (~> 2.8.2)
212+
racc (~> 1.4)
213+
oj (3.16.11)
214+
bigdecimal (>= 3.0)
215+
ostruct (>= 0.2)
216+
ostruct (0.6.3)
217+
ox (2.14.23)
218+
bigdecimal (>= 3.0)
211219
parallel (1.20.1)
212220
parser (3.0.1.1)
213221
ast (~> 2.4.1)
@@ -218,7 +226,7 @@ GEM
218226
byebug (~> 11.0)
219227
pry (~> 0.10)
220228
public_suffix (4.0.6)
221-
racc (1.6.2)
229+
racc (1.8.1)
222230
rack (2.2.3)
223231
rack-protection (2.1.0)
224232
rack
@@ -239,8 +247,9 @@ GEM
239247
bundler (>= 1.15.0)
240248
railties (= 6.1.4.1)
241249
sprockets-rails (>= 2.0.0)
242-
rails-dom-testing (2.0.3)
243-
activesupport (>= 4.2.0)
250+
rails-dom-testing (2.3.0)
251+
activesupport (>= 5.0.0)
252+
minitest
244253
nokogiri (>= 1.6)
245254
rails-html-sanitizer (1.4.2)
246255
loofah (~> 2.3)
@@ -254,7 +263,7 @@ GEM
254263
rake (13.0.6)
255264
rbtree (0.4.6)
256265
regexp_parser (2.1.1)
257-
rexml (3.2.5)
266+
rexml (3.4.4)
258267
rspec-core (3.10.1)
259268
rspec-support (~> 3.10.0)
260269
rspec-expectations (3.10.1)
@@ -285,7 +294,7 @@ GEM
285294
parser (>= 3.0.1.1)
286295
ruby-progressbar (1.11.0)
287296
ruby2_keywords (0.0.4)
288-
set (1.0.2)
297+
set (1.1.2)
289298
sinatra (2.1.0)
290299
mustermann (~> 1.0)
291300
rack (~> 2.2)
@@ -303,7 +312,7 @@ GEM
303312
sprockets (>= 3.0.0)
304313
thor (1.1.0)
305314
tilt (2.0.10)
306-
typhoeus (1.4.0)
315+
typhoeus (1.4.1)
307316
ethon (>= 0.9.0)
308317
tzinfo (2.0.4)
309318
concurrent-ruby (~> 1.0)
@@ -336,4 +345,4 @@ DEPENDENCIES
336345
yard
337346

338347
BUNDLED WITH
339-
2.2.14
348+
2.5.22

event_source.gemspec

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,8 @@ Gem::Specification.new do |spec|
5454
spec.add_dependency 'mime-types'
5555
spec.add_dependency 'oj', '~> 3.11'
5656
spec.add_dependency 'ox', '~> 2.14'
57+
# Security: Fix CVE-2025-58767 - REXML DoS vulnerability
58+
spec.add_dependency 'rexml', '>= 3.4.2'
5759
spec.add_dependency 'typhoeus', '~> 1.4.0'
5860

5961
# TODO: Change to development dependency

0 commit comments

Comments
 (0)