From d2a712bd900727a4cac0ed8c99d06e916c0db5e6 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Tue, 6 Jan 2026 07:28:49 +1300 Subject: [PATCH 1/3] fix: update CVE-2025-58767 to include Ruby 3.3 --- rubies/ruby/CVE-2025-58767.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2025-58767.yml b/rubies/ruby/CVE-2025-58767.yml index d1f635a31d..8a93d5c391 100644 --- a/rubies/ruby/CVE-2025-58767.yml +++ b/rubies/ruby/CVE-2025-58767.yml @@ -14,11 +14,13 @@ description: | patched_versions: - ">= 3.4.8" + - "~> 3.3.10" related: url: - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml - https://www.cve.org/CVERecord?id=CVE-2025-58767 - https://www.ruby-lang.org/en/news/2025/12/17/ruby-3-4-8-released/ - https://bugs.ruby-lang.org/issues/21632 + - https://github.com/ruby/ruby/pull/14796 notes: | - Ruby 3.3 and 3.2 have PRs to backport the fix but new versions haven't been released yet. + The fix has also been backported to Ruby 3.2 but a new version is yet to be released. From 63d5d33275009c1e19509b7e90990970d4177efe Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 14 Jan 2026 15:07:41 +1300 Subject: [PATCH 2/3] fix: mark Ruby 3.2.10 at patched too --- rubies/ruby/CVE-2025-58767.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rubies/ruby/CVE-2025-58767.yml b/rubies/ruby/CVE-2025-58767.yml index 8a93d5c391..c3b7af0b7f 100644 --- a/rubies/ruby/CVE-2025-58767.yml +++ b/rubies/ruby/CVE-2025-58767.yml @@ -15,6 +15,7 @@ description: | patched_versions: - ">= 3.4.8" - "~> 3.3.10" + - "~> 3.2.10" related: url: - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml @@ -22,5 +23,3 @@ related: - https://www.ruby-lang.org/en/news/2025/12/17/ruby-3-4-8-released/ - https://bugs.ruby-lang.org/issues/21632 - https://github.com/ruby/ruby/pull/14796 -notes: | - The fix has also been backported to Ruby 3.2 but a new version is yet to be released. From 90bf71d461d23ca535849fed7bd0a57e77051f9a Mon Sep 17 00:00:00 2001 From: Postmodern Date: Tue, 13 Jan 2026 20:33:09 -0800 Subject: [PATCH 3/3] Correct order of `patched_versions:` in CVE-2025-58767.yml --- rubies/ruby/CVE-2025-58767.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rubies/ruby/CVE-2025-58767.yml b/rubies/ruby/CVE-2025-58767.yml index c3b7af0b7f..40cfbfa56c 100644 --- a/rubies/ruby/CVE-2025-58767.yml +++ b/rubies/ruby/CVE-2025-58767.yml @@ -13,9 +13,9 @@ description: | The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities. patched_versions: - - ">= 3.4.8" - - "~> 3.3.10" - "~> 3.2.10" + - "~> 3.3.10" + - ">= 3.4.8" related: url: - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml