Skip to content

Commit e03f2c0

Browse files
postmodernRubySec CI
postmodern
authored and
RubySec CI
committed
Updated advisory posts against rubysec/ruby-advisory-db@ddfa779 
1 parent 2315dac commit e03f2c0

File tree

1 file changed

+55
-0
lines changed

1 file changed

+55
-0
lines changed

advisories/_posts/2024-02-04-GHSA-xc9x-jj77-9p9j.md

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
---
2+
layout: advisory
3+
title: 'GHSA-xc9x-jj77-9p9j (nokogiri): Improper Handling of Unexpected Data Type
4+
in Nokogiri'
5+
comments: false
6+
categories:
7+
- nokogiri
8+
advisory:
9+
gem: nokogiri
10+
ghsa: xc9x-jj77-9p9j
11+
url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
12+
title: Improper Handling of Unexpected Data Type in Nokogiri
13+
date: 2024-02-04
14+
description: |
15+
### Summary
16+
17+
Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5.
18+
19+
libxml2 v2.12.5 addresses the following vulnerability:
20+
21+
CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
22+
described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
23+
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
24+
25+
Please note that this advisory only applies to the CRuby implementation of
26+
Nokogiri < 1.16.2, and only if the packaged libraries are being used. If
27+
you've overridden defaults at installation time to use system libraries
28+
instead of packaged libraries, you should instead pay attention to your
29+
distro's libxml2 release announcements.
30+
31+
### Severity
32+
33+
The Nokogiri maintainers have evaluated this as **Moderate**.
34+
35+
### Mitigation
36+
37+
Upgrade to Nokogiri >= 1.16.2.
38+
39+
Users who are unable to upgrade Nokogiri may also choose a more complicated
40+
mitigation: compile and link Nokogiri against external libraries libxml2 >=
41+
2.12.5 which will also address these same issues.
42+
43+
JRuby users are not affected.
44+
45+
### Workarounds
46+
patched_versions:
47+
- ">= 1.16.2"
48+
related:
49+
cve:
50+
- 2024-25062
51+
url:
52+
- https://github.com/sparklemotion/nokogiri/commit/1b768b797fd42d94de12b9cff4ed0221f5cb92ec
53+
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.2
54+
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
55+
---

0 commit comments

Comments
 (0)