(PA-6881) Adding rexml gem to agent-runtime-main for CVE-2024-41123 and

CVE-2024-41946
puppetlabs · Aug 23, 2024 · 63d6a58 · 63d6a58
1 parent 38fc20b
commit 63d6a58
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/configs/projects/agent-runtime-main.rb b/configs/projects/agent-runtime-main.rb
@@ -63,6 +63,12 @@
   proj.component 'rubygem-thor'
   proj.component 'rubygem-scanf'
 
+  # We add rexml explicitly in here because even though ruby 3 ships with rexml as its default gem, the version
+  # of rexml it ships with contains CVE-2024-41946 and CVE-2024-41123.
+  # So, we add it here to update to a higher version
+  # free from the CVEs.
+  proj.component 'rubygem-rexml'
+
   if platform.is_linux?
     proj.component "virt-what"
     proj.component "dmidecode" unless platform.architecture =~ /ppc64/