| Summary: | <dev-ruby/nokogiri-1.6.4.1: Two Denial of Service Vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | ruby |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/56179/ | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Upstream doesn't have release tags for these versions so we can't easily bump this. I've filed a bug for this: https://github.com/sparklemotion/nokogiri/issues/1025 Note that this issue only affects nokogiri when used with jruby. The wording in the bug is ambigous regarding 1.6.1, but this is also only relevant when using jruby. Current stable nokogiri version is 1.6.4.1 and I just removed 1.5.10 which was still vulnerable. All vulnerable versions have been removed. GLSA Coordinators: Please vote Arches and Maintainer(s), Thank you for your work. GLSA Vote: No GLSA Vote: No |
From ${URL} : Description Two vulnerabilities have been reported in the Nokogiri gem for Ruby, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error when parsing XML documents can be exploited to cause an infinite loop and subsequently exhaust memory and cause a crash via a specially crafted XML document. 2) An error when parsing XML entities and can be exploited to exhaust memory and cause a crash via a specially crafted XML document including external entity references. The vulnerabilities are reported in the 1.6.x versions prior to 1.6.1 and the 1.5.x versions prior to 1.5.11 running on JRuby. Solution: Update to version 1.6.1 or 1.5.11 or apply patches (please see the vendor's advisory for details). Provided and/or discovered by: The vendor credits: 1) Yoko Harada and John Shahid. 2) Jonas Nicklas. Original Advisory: https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.