Add advisory for CVE-2025-58767 (DoS vulnerability in REXML)

[hudakh]

CVE-2025-58767 advisory rubies/ruby/CVE-2025-58767

[postmodern]

We already have this advisory as gems/rexml/CVE-2025-58767.yml. Also, the patched_versions mentions 3.2.10 and 3.3.11, except I don't believe Ruby 3.2.10 or 3.3.11 were ever released.

[hudakh]

We already have this advisory as gems/rexml/CVE-2025-58767.yml. Also, the patched_versions mentions 3.2.10 and 3.3.11, except I don't believe Ruby 3.2.10 or 3.3.11 were ever released.

Thanks for the review.

I wanted to clarify the rationale for adding a rubies/ruby entry in this case.

After checking the repository, there are already multiple CVEs that exist in both rubies/ruby and gems/*, for example:

CVE-2009-4492
CVE-2017-10784
CVE-2017-14033
CVE-2018-16395
CVE-2020-10663
CVE-2021-33621
CVE-2025-24294
CVE-2025-61594

These duplicates suggest that the repository has historically represented some vulnerabilities at both the Ruby implementation level and the gem level, particularly for bundled stdlib components. You reviewed the last two for me too!

Is the current policy is to avoid new duplication? If that’s the case, it might be helpful to document this expectation (or clean up existing duplicates) to avoid future confusion.

Please let me know how you’d prefer to handle this going forward.

As for ruby 3.2.10 and 3.3.11, the PRs to update the gem in ruby 3.2 and 3.3 have been merged, but new versions of ruby haven't been released yet. I added this in the notes section as I wasn't sure how to handle it.

[postmodern]

OK, CVE-2025-61594 is mentioned in the 3.4.8 release notes. If a new version of Ruby was released to address a CVE, then we do need an advisory in the rubies/ruby/ directory. Only mention Ruby versions that have been released.

[G-Rath]

Note Ruby 3.3.10 with the backport has already been released when this was landed, and now Ruby 3.2.10 has been released with the backport - I've opened #946 to update the advisory