[ANN] nokogiri security update - 1.6.7.1

[Mike Dalessio]

Hello,

Nokogiri version 1.6.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:

  CVE-2015-5312

  CVE-2015-7497

  CVE-2015-7498

  CVE-2015-7499

  CVE-2015-7500

  CVE-2015-8241

  CVE-2015-8242

  CVE-2015-8317

These CVEs are all low or medium priority according to Canonical, however NIST NVD gives CVE-2015-5312 a high severity score. Full details are included below.

Vulnerable versions: Nokogiri >= 1.6.0, <= 1.6.7; only affects installations using the vendored libxml2.

Recommended action: upgrade to 1.6.7.1

Full CVE information:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5312

  Original release date: 12/15/2015

  CVSS v2 Base Score: 7.1 (HIGH)

  The xmlStringLenDecodeEntities function in parser.c in libxml2

  before 2.9.3 does not properly prevent entity expansion, which

  allows context-dependent attackers to cause a denial of

  service (CPU consumption) via crafted XML data, a different

  vulnerability than CVE-2014-3660.  

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7497

  Original release date: 12/15/2015

  CVSS v2 Base Score: 5.0 (MEDIUM)

  Heap-based buffer overflow in the xmlDictComputeFastQKey

  function in dict.c in libxml2 before 2.9.3 allows

  context-dependent attackers to cause a denial of service via

  unspecified vectors.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7498

  Original release date: 12/15/2015

  CVSS v2 Base Score: 5.0 (MEDIUM)

  Heap-based buffer overflow in the xmlParseXmlDecl function in

  parser.c in libxml2 before 2.9.3 allows context-dependent

  attackers to cause a denial of service via unspecified vectors

  related to extracting errors after an encoding conversion

  failure.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7499

  Original release date: 12/15/2015

  CVSS v2 Base Score: 5.0 (MEDIUM)

  Heap-based buffer overflow in the xmlGROW function in parser.c

  in libxml2 before 2.9.3 allows context-dependent attackers to

  obtain sensitive process memory information via unspecified

  vectors.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7500

  Original release date: 12/15/2015

  CVSS v2 Base Score: 5.0 (MEDIUM)

  The xmlParseMisc function in parser.c in libxml2 before 2.9.3

  allows context-dependent attackers to cause a denial of

  service (out-of-bounds heap read) via unspecified vectors

  related to incorrect entities boundaries and start tags.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8241

  Original release date: 12/15/2015

  CVSS v2 Base Score: 6.4 (MEDIUM)

  The xmlNextChar function in libxml2 2.9.2 does not properly

  check the state, which allows context-dependent attackers to

  cause a denial of service (heap-based buffer over-read and

  application crash) or obtain sensitive information via crafted

  XML data.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8242

  Original release date: 12/15/2015

  CVSS v2 Base Score: 5.8 (MEDIUM)

  The xmlSAX2TextNode function in SAX2.c in the push interface in

  the HTML parser in libxml2 before 2.9.3 allows

  context-dependent attackers to cause a denial of

  service (stack-based buffer over-read and application crash) or

  obtain sensitive information via crafted XML data.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8317

  Original release date: 12/15/2015

  CVSS v2 Base Score: 5.0 (MEDIUM)

  The xmlParseXMLDecl function in parser.c in libxml2 before

  2.9.3 allows context-dependent attackers to obtain sensitive

  information via an (1) unterminated encoding value or (2)

  incomplete XML declaration in XML data, which triggers an

  out-of-bounds heap read.