Ruby/nokogiri/1.14.3

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2, libgumbo, or xerces.

https://rubygems.org/gems/nokogiri
MIT

2 Security Vulnerabilities

Use-after-free in libxml2 via Nokogiri::XML::Reader

Published date: 2024-03-18T20:38:40Z
Links:

Summary

Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

Affected versions: ["1.16.0", "1.16.1", "1.11.0.rc3", "1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.4", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.10.0.rc1", "1.9.1", "1.9.0", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.2", "1.7.1", "1.7.0.1", "1.7.0", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.8.rc1", "1.6.7.2", "1.6.7.1", "1.6.7", "1.6.7.rc4", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.5", "1.6.4.1", "1.6.4", "1.6.3.1", "1.6.3", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2.1", "1.6.2", "1.6.2.rc3", "1.6.2.rc2", "1.6.2.rc1", "1.6.1", "1.6.0", "1.6.0.rc1", "1.5.11", "1.5.10", "1.5.9", "1.5.8", "1.5.7", "1.5.7.rc3", "1.5.7.rc2", "1.5.7.rc1", "1.5.6", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc3", "1.5.5.rc2", "1.5.5.rc1", "1.5.4", "1.5.4.rc3", "1.5.4.rc2", "1.5.4.rc1", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc4", "1.5.3.rc3", "1.5.3.rc2", "1.5.2", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.3", "1.5.0.beta.2", "1.5.0.beta.1", "1.4.7", "1.4.6", "1.4.5", "1.4.4.2", "1.4.4.1", "1.4.4", "1.4.3.1", "1.4.3", "1.4.2.1", "1.4.2", "1.4.1", "1.4.0", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5"]
Secure versions: [1.16.2, 1.16.3, 1.15.6, 1.16.4]
Recommendation: Update to version 1.16.4.

Use-after-free in libxml2 via Nokogiri::XML::Reader

Published date: 2024-02-04
Links:

Summary

Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

Affected versions: ["1.11.0.rc3", "1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.4", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.10.0.rc1", "1.9.1", "1.9.0", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.2", "1.7.1", "1.7.0.1", "1.7.0", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.8.rc1", "1.6.7.2", "1.6.7.1", "1.6.7", "1.6.7.rc4", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.5", "1.6.4.1", "1.6.4", "1.6.3.1", "1.6.3", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2.1", "1.6.2", "1.6.2.rc3", "1.6.2.rc2", "1.6.2.rc1", "1.6.1", "1.6.0", "1.6.0.rc1", "1.5.11", "1.5.10", "1.5.9", "1.5.8", "1.5.7", "1.5.7.rc3", "1.5.7.rc2", "1.5.7.rc1", "1.5.6", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc3", "1.5.5.rc2", "1.5.5.rc1", "1.5.4", "1.5.4.rc3", "1.5.4.rc2", "1.5.4.rc1", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc4", "1.5.3.rc3", "1.5.3.rc2", "1.5.2", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.3", "1.5.0.beta.2", "1.5.0.beta.1", "1.4.7", "1.4.6", "1.4.5", "1.4.4.2", "1.4.4.1", "1.4.4", "1.4.3.1", "1.4.3", "1.4.2.1", "1.4.2", "1.4.1", "1.4.0", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.14.5", "1.16.0.rc1", "1.16.0", "1.16.1"]
Secure versions: [1.16.2, 1.16.3, 1.15.6, 1.16.4]
Recommendation: Update to version 1.16.4.

170 Other Versions

Version License Security Released
1.6.2.rc3 MIT 67 2014-05-09 - 22:00 almost 10 years
1.6.2.rc2 MIT 67 2014-04-10 - 17:15 about 10 years
1.6.2.rc1 MIT 67 2014-04-06 - 20:37 about 10 years
1.6.1 MIT 68 2013-12-15 - 01:54 over 10 years
1.6.0 UNKNOWN 72 2013-06-10 - 14:38 almost 11 years
1.6.0.rc1 UNKNOWN 64 2013-04-23 - 17:32 about 11 years
1.5.11 MIT 62 2013-12-15 - 01:53 over 10 years
1.5.10 UNKNOWN 64 2013-06-07 - 21:16 almost 11 years
1.5.9 UNKNOWN 64 2013-03-21 - 13:35 about 11 years
1.5.8 UNKNOWN 64 2013-03-19 - 19:56 about 11 years
1.5.7 UNKNOWN 64 2013-03-18 - 20:10 about 11 years
1.5.7.rc3 UNKNOWN 64 2013-03-14 - 12:50 about 11 years
1.5.7.rc2 UNKNOWN 64 2013-03-11 - 09:46 about 11 years
1.5.7.rc1 UNKNOWN 64 2013-02-22 - 18:36 about 11 years
1.5.6 UNKNOWN 64 2012-12-19 - 16:41 over 11 years
1.5.6.rc3 UNKNOWN 64 2012-11-27 - 00:36 over 11 years
1.5.6.rc2 UNKNOWN 64 2012-09-12 - 15:53 over 11 years
1.5.6.rc1 UNKNOWN 64 2012-07-11 - 18:06 almost 12 years
1.5.5 UNKNOWN 64 2012-06-23 - 16:21 almost 12 years
1.5.5.rc3 UNKNOWN 64 2012-06-22 - 15:22 almost 12 years
1.5.5.rc2 UNKNOWN 64 2012-06-14 - 16:35 almost 12 years
1.5.5.rc1 UNKNOWN 64 2012-06-12 - 14:04 almost 12 years
1.5.4 UNKNOWN 64 2012-06-11 - 15:09 almost 12 years
1.5.4.rc3 UNKNOWN 66 2012-06-08 - 18:58 almost 12 years
1.5.4.rc2 UNKNOWN 66 2012-06-08 - 15:26 almost 12 years
1.5.4.rc1 UNKNOWN 66 2012-06-07 - 20:34 almost 12 years
1.5.3 UNKNOWN 66 2012-06-01 - 13:53 almost 12 years
1.5.3.rc6 UNKNOWN 66 2012-05-30 - 15:25 almost 12 years
1.5.3.rc5 UNKNOWN 66 2012-04-27 - 14:55 about 12 years
1.5.3.rc4 UNKNOWN 66 2012-04-27 - 04:11 about 12 years
1.5.3.rc3 UNKNOWN 66 2012-03-26 - 22:07 about 12 years
1.5.3.rc2 UNKNOWN 66 2012-03-22 - 15:29 about 12 years
1.5.2 UNKNOWN 66 2012-03-09 - 21:00 about 12 years
1.5.1 UNKNOWN 66 2012-03-09 - 05:59 about 12 years
1.5.1.rc1 UNKNOWN 66 2012-03-04 - 02:01 about 12 years
1.5.0 UNKNOWN 66 2011-07-01 - 07:26 almost 13 years
1.5.0.beta.1 UNKNOWN 64 2010-06-08 - 13:32 almost 14 years
1.5.0.beta.4 UNKNOWN 64 2011-01-27 - 22:59 over 13 years
1.5.0.beta.3 UNKNOWN 64 2010-12-02 - 20:10 over 13 years
1.5.0.beta.2 UNKNOWN 64 2010-07-30 - 15:53 almost 14 years
1.4.7 UNKNOWN 66 2011-07-01 - 05:22 almost 13 years
1.4.6 UNKNOWN 66 2011-06-20 - 02:53 almost 13 years
1.4.5 UNKNOWN 66 2011-06-16 - 11:21 almost 13 years
1.4.4.2 UNKNOWN 66 2010-12-01 - 19:35 over 13 years
1.4.4.1 UNKNOWN 66 2010-11-17 - 13:50 over 13 years
1.4.4 UNKNOWN 66 2010-11-16 - 06:28 over 13 years
1.4.3.1 UNKNOWN 66 2010-07-29 - 15:47 almost 14 years
1.4.3 UNKNOWN 66 2010-07-29 - 14:59 almost 14 years
1.4.2.1 UNKNOWN 66 2010-06-02 - 21:16 almost 14 years
1.4.2 UNKNOWN 66 2010-05-22 - 15:35 almost 14 years
1.4.1 UNKNOWN 66 2009-12-11 - 05:14 over 14 years
1.4.0 UNKNOWN 66 2009-10-31 - 07:00 over 14 years
1.3.3 UNKNOWN 66 2009-09-25 - 09:04 over 14 years
1.3.2 UNKNOWN 66 2009-09-25 - 09:04 over 14 years
1.3.1 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.3.0 UNKNOWN 66 2009-09-25 - 09:04 over 14 years
1.2.3 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.2.2 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.2.1 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.2.0 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.1.1 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.1.0 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.0.7 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.0.6 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.0.5 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.0.4 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.0.3 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.0.2 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.0.1 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years
1.0.0 UNKNOWN 66 2009-07-25 - 18:05 almost 15 years