Hello,
Nokogiri version 1.6.7.2 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVE:
CVE-2015-7499
Ubuntu classifies this as "Priority: *Low*", RedHat classifies this as
"Impact: *Moderate*", and NIST classifies this as "Severity: 5.0 (*MEDIUM*
)".
Full details are included below.
Please note that although CVE-2015-7499 was partially addressed in the
1.6.7.1 release, an additional commit was included in the latest Canonical
security update from 2016-01-19 (along with two previous commits necessary
for that patch to apply cleanly) also related to CVE-2015-7499, which we've
pulled in.
*Vulnerable versions:* Nokogiri >= 1.6.0, <= 1.6.7.1; only affects
installations using the vendored libxml2.
*Recommended action:* upgrade to 1.6.7.2.
*Full CVE information:*
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7499
Original release date: 12/15/2015
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlGROW function in parser.c
in libxml2 before 2.9.3 allows context-dependent attackers to
obtain sensitive process memory information via unspecified
vectors.
Updated: 2016-01-19http://www.ubuntu.com/usn/usn-2875-1/
libxml2 could be made to crash if it opened a specially crafted file.
It was discovered that libxml2 incorrectly handled certain
malformed documents. If a user or automated system were tricked into
opening a specially crafted document, an attacker could possibly cause
libxml2 to crash, resulting in a denial of service.