ALT-BU-2025-2274-2
Branch c10f2 update bulletin.
Closed vulnerabilities
Modified: 2025-04-30
BDU:2024-07419
Уязвимость набора инструментов XML для Ruby REXML, связанная с неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-07430
Уязвимость набора инструментов XML для Ruby REXML, связанная с неправильным ограничением рекурсивных ссылок на сущности в DTD, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-11-03
CVE-2024-41946
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
- https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
- https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
- https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
- https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
- https://security.netapp.com/advisory/ntap-20250117-0007/
Modified: 2025-11-03
CVE-2024-43398
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
Modified: 2025-11-04
GHSA-5866-49gr-22v4
REXML DoS vulnerability
- https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
- https://nvd.nist.gov/vuln/detail/CVE-2024-41946
- https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
- https://github.com/ruby/rexml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml
- https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
- https://security.netapp.com/advisory/ntap-20250117-0007
- https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
Modified: 2025-11-04
GHSA-vmwr-mc7x-5vc3
REXML denial of service vulnerability
- https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
- https://nvd.nist.gov/vuln/detail/CVE-2024-43398
- https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3
- https://github.com/ruby/rexml
- https://github.com/ruby/rexml/releases/tag/v3.3.6
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-43398.yml
- https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
- https://security.netapp.com/advisory/ntap-20250103-0006
- https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398
Closed vulnerabilities
Modified: 2026-03-04
BDU:2025-01459
Уязвимость сервера DNS BIND, связанная с асимметричным потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-03-04
BDU:2025-07734
Уязвимость реализации DoH сервера DNS BIND, связанная с выделением неограниченной памяти, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-04-15
CVE-2024-11187
It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.
Modified: 2026-04-15
CVE-2024-12705
Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.