CVE-2020-26247: Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4. Needs a bump but fixed version is only an rc version so waiting may be a good idea too.
(In reply to John Helmert III (ajak) from comment #0) > Needs a bump but fixed version is only an rc version so waiting may be a good > idea too. Yes, we'll wait for an official release.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0e4849bb6896cedf44d5bcae8cd1a07c7cf21ec commit c0e4849bb6896cedf44d5bcae8cd1a07c7cf21ec Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2021-01-05 06:28:47 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2021-01-05 06:28:47 +0000 dev-ruby/nokogiri: add 1.11.0 Closes: https://bugs.gentoo.org/705334 Closes: https://bugs.gentoo.org/762685 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-ruby/nokogiri/Manifest | 1 + dev-ruby/nokogiri/nokogiri-1.11.0.ebuild | 98 ++++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+)
Need to keep open for stabling etc. Thanks for the bump! Let us know when itβs ready.
Unable to check for sanity: > no match for package: dev-ruby/nokogiri-1.11.1
What do we think?
Please test and mark stable.
amd64 done
x86 done
s390 done
sparc stable
ppc64 stable
arm64 done
arm done
ppc done all arches done
Please cleanup
cleanup done.
(In reply to Hans de Graaff from comment #16) > cleanup done. Thanks!
Package list is empty or all packages have requested keywords.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=4615e1d23edb7c238657339624a79b0f373b7ce8 commit 4615e1d23edb7c238657339624a79b0f373b7ce8 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 21:44:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 21:45:14 +0000 [ GLSA 202208-29 ] Nokogiri: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/762685 Bug: https://bugs.gentoo.org/837902 Bug: https://bugs.gentoo.org/846623 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-29.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)
GLSA done, all done.
Maintainers of the Nokogiri project adhere to a security strategy that states all input should be treated as untrusted by default. Nokogiri 1.11.0.rc4 addresses this issue. This commit: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0e4849bb6896cedf44d5bcae8cd1a07c7cf21ec https://dordle.io I'm holding off till the full rollout.