Hello,
Nokogiri version 1.6.7.1 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVEs:
CVE-2015-5312
CVE-2015-7497
CVE-2015-7498
CVE-2015-7499
CVE-2015-7500
CVE-2015-8241
CVE-2015-8242
CVE-2015-8317
These CVEs are all *low* or *medium* priority according to Canonical,
however NIST NVD gives CVE-2015-5312 a *high* severity score. Full details
are included below.
*Vulnerable versions:* Nokogiri >= 1.6.0, <= 1.6.7; only affects
installations using the vendored libxml2.
*Recommended action: *upgrade to 1.6.7.1
*Full CVE information:*
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5312
Original release date: 12/15/2015
CVSS v2 Base Score: 7.1 (HIGH)
The xmlStringLenDecodeEntities function in parser.c in libxml2
before 2.9.3 does not properly prevent entity expansion, which
allows context-dependent attackers to cause a denial of
service (CPU consumption) via crafted XML data, a different
vulnerability than CVE-2014-3660.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7497
Original release date: 12/15/2015
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlDictComputeFastQKey
function in dict.c in libxml2 before 2.9.3 allows
context-dependent attackers to cause a denial of service via
unspecified vectors.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7498
Original release date: 12/15/2015
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlParseXmlDecl function in
parser.c in libxml2 before 2.9.3 allows context-dependent
attackers to cause a denial of service via unspecified vectors
related to extracting errors after an encoding conversion
failure.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7499
Original release date: 12/15/2015
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlGROW function in parser.c
in libxml2 before 2.9.3 allows context-dependent attackers to
obtain sensitive process memory information via unspecified
vectors.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7500
Original release date: 12/15/2015
CVSS v2 Base Score: 5.0 (MEDIUM)
The xmlParseMisc function in parser.c in libxml2 before 2.9.3
allows context-dependent attackers to cause a denial of
service (out-of-bounds heap read) via unspecified vectors
related to incorrect entities boundaries and start tags.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8241
Original release date: 12/15/2015
CVSS v2 Base Score: 6.4 (MEDIUM)
The xmlNextChar function in libxml2 2.9.2 does not properly
check the state, which allows context-dependent attackers to
cause a denial of service (heap-based buffer over-read and
application crash) or obtain sensitive information via crafted
XML data.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8242
Original release date: 12/15/2015
CVSS v2 Base Score: 5.8 (MEDIUM)
The xmlSAX2TextNode function in SAX2.c in the push interface in
the HTML parser in libxml2 before 2.9.3 allows
context-dependent attackers to cause a denial of
service (stack-based buffer over-read and application crash) or
obtain sensitive information via crafted XML data.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8317
Original release date: 12/15/2015
CVSS v2 Base Score: 5.0 (MEDIUM)
The xmlParseXMLDecl function in parser.c in libxml2 before
2.9.3 allows context-dependent attackers to obtain sensitive
information via an (1) unterminated encoding value or (2)
incomplete XML declaration in XML data, which triggers an
out-of-bounds heap read.