Skip to content

Commit 2315dac

Browse files
fa11enangelRubySec CI
fa11enangel
authored and
RubySec CI
committed
Updated advisory posts against rubysec/ruby-advisory-db@9302888 
1 parent c1f2491 commit 2315dac

File tree

1 file changed

+53
-0
lines changed

1 file changed

+53
-0
lines changed

advisories/_posts/2024-02-04-CVE-2024-25062.md

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2024-25062 (nokogiri): Improper Handling of Unexpected Data Type in Nokogiri'
4+
comments: false
5+
categories:
6+
- nokogiri
7+
advisory:
8+
gem: nokogiri
9+
cve: 2024-25062
10+
ghsa: xc9x-jj77-9p9j
11+
url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
12+
title: Improper Handling of Unexpected Data Type in Nokogiri
13+
date: 2024-02-04
14+
description: |
15+
### Summary
16+
17+
Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5.
18+
19+
libxml2 v2.12.5 addresses the following vulnerability:
20+
21+
CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
22+
described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
23+
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
24+
25+
Please note that this advisory only applies to the CRuby implementation of
26+
Nokogiri < 1.16.2, and only if the packaged libraries are being used. If
27+
you've overridden defaults at installation time to use system libraries
28+
instead of packaged libraries, you should instead pay attention to your
29+
distro's libxml2 release announcements.
30+
31+
### Severity
32+
33+
The Nokogiri maintainers have evaluated this as **Moderate**.
34+
35+
### Mitigation
36+
37+
Upgrade to Nokogiri >= 1.16.2.
38+
39+
Users who are unable to upgrade Nokogiri may also choose a more complicated
40+
mitigation: compile and link Nokogiri against external libraries libxml2 >=
41+
2.12.5 which will also address these same issues.
42+
43+
JRuby users are not affected.
44+
45+
### Workarounds
46+
patched_versions:
47+
- ">= 1.16.2"
48+
related:
49+
url:
50+
- https://github.com/sparklemotion/nokogiri/commit/1b768b797fd42d94de12b9cff4ed0221f5cb92ec
51+
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.2
52+
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
53+
---

0 commit comments

Comments
 (0)