[ANN] nokogiri security update - 1.6.7.2

22 views

Skip to first unread message

Mike Dalessio

unread,

Jan 20, 2016, 2:19:25 PM1/20/16

to ruby-sec...@googlegroups.com, ruby-talk, nokogiri-talk

Hello,

Nokogiri version 1.6.7.2 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE:

CVE-2015-7499

Ubuntu classifies this as "Priority: Low", RedHat classifies this as "Impact: Moderate", and NIST classifies this as "Severity: 5.0 (MEDIUM)".

Full details are included below.

Please note that although CVE-2015-7499 was partially addressed in the 1.6.7.1 release, an additional commit was included in the latest Canonical security update from 2016-01-19 (along with two previous commits necessary for that patch to apply cleanly) also related to CVE-2015-7499, which we've pulled in.

Vulnerable versions: Nokogiri >= 1.6.0, <= 1.6.7.1; only affects installations using the vendored libxml2.

Recommended action: upgrade to 1.6.7.2.

Full CVE information:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7499

Original release date: 12/15/2015
CVSS v2 Base Score: 5.0 (MEDIUM)

Heap-based buffer overflow in the xmlGROW function in parser.c
in libxml2 before 2.9.3 allows context-dependent attackers to
obtain sensitive process memory information via unspecified
vectors.

Updated: 2016-01-19
http://www.ubuntu.com/usn/usn-2875-1/

libxml2 could be made to crash if it opened a specially crafted file.
It was discovered that libxml2 incorrectly handled certain
malformed documents. If a user or automated system were tricked into
opening a specially crafted document, an attacker could possibly cause
libxml2 to crash, resulting in a denial of service.

Reply all

Reply to author

Forward

0 new messages