MGASA-2021-0063

Description

Updated ruby-nokogiri packages fix security vulnerabilities A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename (CVE-2019-5477). In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible (CVE-2020-26247). The ruby-nokogiri package has been updated to version 1.10.10 to fix CVE-2019-5477 and patched to fix CVE-2020-26247.

Affected Systems

• mageia•ruby-nokogiri

  < 1.10.10-1.mga7

References (4)

• https://advisories.mageia.org/MGASA-2021-0063.html
• https://bugs.mageia.org/show_bug.cgi?id=28141
• https://github.com/sparklemotion/nokogiri/releases/
• https://lists.suse.com/pipermail/sle-security-updates/2021-January/008244.html