When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML. Reference: https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1947527] Created ruby:2.6/ruby tracking bugs for this issue: Affects: fedora-33 [bug 1947528] Created ruby:2.7/ruby tracking bugs for this issue: Affects: fedora-33 [bug 1947529] Created ruby:master/ruby tracking bugs for this issue: Affects: fedora-all [bug 1947530]
Red Hat CloudForms is in maintenance support 2 phase and we won't be fixing Low and Medium severity security issues. Please refer CloudForms updated Statement of Direction: https://access.redhat.com/articles/4639821
Fixed version of rexml is included in Ruby versions 2.5.9, 2.6.7, 2.7.3, and 3.0.1: https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-5-9-released/ https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-6-7-released/ https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/ https://www.ruby-lang.org/en/news/2021/04/05/ruby-3-0-1-released/
The hackerone report for this issue is now public: https://hackerone.com/reports/1104077 The fix for this issue is split across multiple commits in the upstream repo: https://github.com/ruby/rexml/commit/a659c63e37414506dfb0d4655e031bb7a2e73fc8 https://github.com/ruby/rexml/commit/2fe62e29094d95921d7e19abbd2e26b23d78dc5b https://github.com/ruby/rexml/commit/6a250d2cd1194c2be72becbdd9c3e770aa16e752 https://github.com/ruby/rexml/commit/f7bab8937513b1403cea5aff874cbf32fd5e8551 https://github.com/ruby/rexml/commit/f9d88e4948b4a43294c25dc0edb16815bd9d8618 https://github.com/ruby/rexml/commit/9b311e59ae05749e082eb6bbefa1cb620d1a786e https://github.com/ruby/rexml/commit/3c137eb119550874b2b3e27d12b733ca67033377 Alternatively, the list of commits can be found at the end of the list of changes in rexml between versions 3.2.4 and 3.2.5: https://github.com/ruby/rexml/compare/v3.2.4...v3.2.5
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-28965
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2229 https://access.redhat.com/errata/RHSA-2021:2229
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2584 https://access.redhat.com/errata/RHSA-2021:2584
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582