[ANN] nokogiri security update - 1.6.8

[Mike Dalessio]

Hello,

Nokogiri version 1.6.8 has been released, updating to libxml2 2.9.4 to address multiple CVEs, including:

    CVE-2015-8806

    CVE-2016-1762

    CVE-2016-1833

    CVE-2016-1834

    CVE-2016-1835

    CVE-2016-1836

    CVE-2016-1837

    CVE-2016-1838

    CVE-2016-1839

    CVE-2016-1840

    CVE-2016-2073

    CVE-2016-3627

    CVE-2016-3705

    CVE-2016-4447

    CVE-2016-4449

    CVE-2016-4483

These CVEs are all low or medium priority according to Canonical [1]. Full details are included below.

Vulnerable versions: Nokogiri >= 1.6.0, < 1.6.8; only affects installation using the vendored libxml2.

Recommended action: upgrade to Nokogiri 1.6.8

  [1]: http://www.ubuntu.com/usn/usn-2994-1/

----

Full CVE information (from upstream libxml2):

It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. (CVE-2015-8806, CVE-2016-2073,CVE-2016-3627, CVE-2016-3705, CVE-2016-4447)

It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash,resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-1762, CVE-2016-1834)

Mateusz Jurczyk discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-1833, CVE-2016-1838, CVE-2016-1839)

Wei Lei and Liu Yang discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-1835, CVE-2016-1837)

Wei Lei and Liu Yang discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-1836)

Kostya Serebryany discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-1840)

It was discovered that libxml2 would load certain XML external entities. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly obtain access to arbitrary files or cause resource consumption. (CVE-2016-4449)

Gustavo Grieco discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. (CVE-2016-4483)