REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
{ "binaries": [ { "binary_name": "libruby2.3", "binary_version": "2.3.1-2~ubuntu16.04.16+esm10" }, { "binary_name": "ruby2.3", "binary_version": "2.3.1-2~ubuntu16.04.16+esm10" }, { "binary_name": "ruby2.3-dev", "binary_version": "2.3.1-2~ubuntu16.04.16+esm10" }, { "binary_name": "ruby2.3-tcltk", "binary_version": "2.3.1-2~ubuntu16.04.16+esm10" } ], "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro" }
{ "binaries": [ { "binary_name": "libruby2.5", "binary_version": "2.5.1-1ubuntu1.16+esm4" }, { "binary_name": "ruby2.5", "binary_version": "2.5.1-1ubuntu1.16+esm4" }, { "binary_name": "ruby2.5-dev", "binary_version": "2.5.1-1ubuntu1.16+esm4" } ], "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro" }
{ "binaries": [ { "binary_name": "libruby3.2", "binary_version": "3.2.3-1ubuntu0.24.04.3" }, { "binary_name": "ruby3.2", "binary_version": "3.2.3-1ubuntu0.24.04.3" }, { "binary_name": "ruby3.2-dev", "binary_version": "3.2.3-1ubuntu0.24.04.3" } ], "availability": "No subscription required" }