MGASA-2021-0063

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2021-0063.html

Import Source

https://advisories.mageia.org/MGASA-2021-0063.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2021-0063

Related

Published

2021-02-04T13:40:24Z

Modified

2021-02-04T12:58:35Z

Summary

Updated ruby-nokogiri packages fix security vulnerabilities

Details

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being called with unsafe user input as the filename (CVE-2019-5477).

In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible (CVE-2020-26247).

The ruby-nokogiri package has been updated to version 1.10.10 to fix CVE-2019-5477 and patched to fix CVE-2020-26247.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / ruby-nokogiri

Package

Name: ruby-nokogiri
Purl: pkg:rpm/mageia/ruby-nokogiri?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.10-1.mga7

Ecosystem specific

{
    "section": "core"
}