Reference: MLIST:[oss-security] 20130306 CVE for Ruby Entity expansion DoS
vulnerability in REXML (XML bomb)
lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows
remote attackers to cause a denial of service (memory consumption and
crash) via crafted text nodes in an XML document, aka an XML Entity
Expansion (XEE) attack.
Steps to Reproduce:
NOTE: this is fixed in updates_testing/ruby-1.8.7.p358-1.3.mga2.src.rpm with:
How I hate the mga rpm changelogs...
Fixed in Bug 9300.
Oden, forget about the package changelogs.
Bugzilla has this nice search feature.
Go to the Search page, make sure you have Advanced Search selected (tab at top).
Under Status:, hold the Ctrl key and click on RESOLVED.
Then search for the package name you're interested in.
Almost all of the security bugs have the CVE(s) at the end of the bug name.
*** This bug has been marked as a duplicate of bug 9300 ***
Note that you can also look at svnweb, which usually has the CVEs in the commit messages (not always in Cauldron, but almost always in stable). For instance: