(PA-6507) Update gem rexml from default to 3.2.7 for CVE-2024-35176

- The CVE was mitigated from rexml version 3.2.7. - Patching for the CVE wasn't getting applied cleanly and had a lot of conflicts. So updated the gem version to 3.2.7 in the rexml component file. - Added the change to _shared-agent-components since the CVE impacts both agent-runtime-main (ruby 3.2.4 using rexml 3.2.6) and agent-runtime-7.x (ruby 2.7.8 using rexml 3.2.3). - Added rubygems-strscan component with version 3.0.9 because rexml 3.2.7 requires strscan 3.0.9 but agent-runtime rubies come with older version of it.
puppetlabs · Jul 11, 2024 · b5de92f · b5de92f
1 parent 0014ae7
commit b5de92f
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/configs/components/rubygem-rexml.rb b/configs/components/rubygem-rexml.rb
@@ -1,6 +1,6 @@
 component 'rubygem-rexml' do |pkg, settings, platform|
-  pkg.version '3.2.6'
-  pkg.md5sum 'a57288ae5afed07dd08c9f1302da7b25'
+  pkg.version '3.2.7'
+  pkg.md5sum '78ddb64f45975a40e5d6b644e12aba32'
 
   instance_eval File.read('configs/components/_base-rubygem.rb')
 end
diff --git a/configs/components/rubygem-strscan.rb b/configs/components/rubygem-strscan.rb
@@ -0,0 +1,7 @@
+component 'rubygem-rexml' do |pkg, settings, platform|
+    pkg.version '3.0.9'
+    pkg.md5sum '712528845b4f24bb15989f8964b99cc4'
+
+    instance_eval File.read('configs/components/_base-rubygem.rb')
+  end
+
diff --git a/configs/projects/_shared-agent-components.rb b/configs/projects/_shared-agent-components.rb
@@ -69,3 +69,6 @@
 if platform.is_macos?
   proj.component 'rubygem-CFPropertyList'
 end
+
+proj.component 'rubygem-strscan'
+proj.component 'rubygem-rexml'