Hello,
Nokogiri version 1.6.7.2 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE:
CVE-2015-7499
Ubuntu classifies this as "Priority: Low", RedHat classifies this as "Impact: Moderate", and NIST classifies this as "Severity: 5.0 (MEDIUM)".
Full details are included below.
Please note that although CVE-2015-7499 was partially addressed in the 1.6.7.1 release, an additional commit was included in the latest Canonical security update from 2016-01-19 (along with two previous commits necessary for that patch to apply cleanly) also related to CVE-2015-7499, which we've pulled in.
Vulnerable versions: Nokogiri >= 1.6.0, <= 1.6.7.1; only affects installations using the vendored libxml2.
Recommended action: upgrade to 1.6.7.2.
Full CVE information:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7499
Original release date: 12/15/2015
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlGROW function in parser.c
in libxml2 before 2.9.3 allows context-dependent attackers to
obtain sensitive process memory information via unspecified
vectors.
Updated: 2016-01-19
http://www.ubuntu.com/usn/usn-2875-1/
libxml2 could be made to crash if it opened a specially crafted file.
It was discovered that libxml2 incorrectly handled certain
malformed documents. If a user or automated system were tricked into
opening a specially crafted document, an attacker could possibly cause
libxml2 to crash, resulting in a denial of service.