How to update rexml version?

[jwenjian]

We are using trivy to scan the container images, and found an HIGH issues with rexml-3.2.5, I'd like to update to >=3.3.9, to fix this issue, any steps or documents?

Thanks!

• trivy scan output:

ghcr.io/voxpupuli/puppetserver:8.7.0-latest (ubuntu 22.04)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-12-17T15:38:13+08:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Ruby (gemspec)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│           Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├─────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ rexml (rexml-3.2.5.gemspec) │ CVE-2024-49761 │ HIGH     │ fixed  │ 3.2.5             │ >= 3.3.9      │ REXML is an XML toolkit for Ruby. The REXML gem before │
│                             │                │          │        │                   │               │ 3.3.9...                                               │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-49761             │
└─────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

[rwaffen]

Ah okay. It’s rexml again. I fixed it already in some other container. I will look into it to apply the fix also here.

[rwaffen]

This will also fix these security issues

https://github.com/voxpupuli/container-puppetserver/security/code-scanning?query=is%3Aopen+branch%3Amain+sort%3Acreated-desc+rexml

[jwenjian]

Hi @rwaffen , may I know the status of this issue?