SUSE-CU-2024:5483-1: Security update of bci/ruby

[sle-container-updates at lists.suse.com]

SUSE Container Update Advisory: bci/ruby
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:5483-1
Container Tags        : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-29.2 , bci/ruby:latest
Container Release     : 29.2
Severity              : important
Type                  : security
References            : 1193578 1224390 1228072 1228794 1228799 1229673 1231833 CVE-2021-43809
                        CVE-2024-35176 CVE-2024-39908 CVE-2024-41123 CVE-2024-41946 CVE-2024-43398
-----------------------------------------------------------------

The container bci/ruby was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3865-1
Released:    Fri Nov  1 16:10:37 2024
Summary:     Recommended update for gcc14
Type:        recommended
Severity:    moderate
References:  1231833
This update for gcc14 fixes the following issues:

- Fixed parsing timezone tzdata 2024b [gcc#116657 bsc#1231833]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3873-1
Released:    Fri Nov  1 16:22:15 2024
Summary:     Security update for rubygem-bundler
Type:        security
Severity:    important
References:  1193578,CVE-2021-43809
This update for rubygem-bundler fixes the following issues:

- CVE-2021-43809: Fixed remote execution via Gemfile argument injection (bsc#1193578)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3874-1
Released:    Fri Nov  1 16:24:52 2024
Summary:     Security update for ruby2.5
Type:        security
Severity:    important
References:  1224390,1228072,1228794,1228799,1229673,CVE-2024-35176,CVE-2024-39908,CVE-2024-41123,CVE-2024-41946,CVE-2024-43398
This update for ruby2.5 fixes the following issues:

- CVE-2024-43398: Fixed DoS when parsing a XML that has many deep elements with the same local name attributes (bsc#1229673)
- CVE-2024-41123: Fixed DoS when parsing an XML that contains many specific characters such as whitespaces, >] and ]> (bsc#1228794)
- CVE-2024-41946: Fixed DoS when parsing an XML that has many entity expansions with SAX2 or pull parser API (bsc#1228799)
- CVE-2024-35176: Fixed DoS when parsing an XML that has many left angled brackets in an attribute value (bsc#1224390)
- CVE-2024-39908: Fixed ReDos when parsing an XML that has many specific characters (bsc#1228072)


The following package changes have been done:

- libatomic1-14.2.0+git10526-150000.1.6.1 updated
- libgomp1-14.2.0+git10526-150000.1.6.1 updated
- libitm1-14.2.0+git10526-150000.1.6.1 updated
- liblsan0-14.2.0+git10526-150000.1.6.1 updated
- libruby2_5-2_5-2.5.9-150000.4.32.1 updated
- ruby2.5-stdlib-2.5.9-150000.4.32.1 updated
- ruby2.5-2.5.9-150000.4.32.1 updated
- ruby2.5-rubygem-bundler-1.16.1-150000.3.6.1 updated
- ruby2.5-devel-2.5.9-150000.4.32.1 updated