Ruby/nokogiri/1.15.4

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2, libgumbo, or xerces.

Repo Link: https://rubygems.org/gems/nokogiri
License: MIT

3 Security Vulnerabilities

Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Published date: 2024-05-14T22:30:45Z

Links:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-r95h-9x8f-r3f7. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
2024-05-13 08:30 EDT, nokogiri maintainers begin triage
2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

Affected versions: ["1.11.0.rc3", "1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.4", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.10.0.rc1", "1.9.1", "1.9.0", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.2", "1.7.1", "1.7.0.1", "1.7.0", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.8.rc1", "1.6.7.2", "1.6.7.1", "1.6.7", "1.6.7.rc4", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.5", "1.6.4.1", "1.6.4", "1.6.3.1", "1.6.3", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2.1", "1.6.2", "1.6.2.rc3", "1.6.2.rc2", "1.6.2.rc1", "1.6.1", "1.6.0", "1.6.0.rc1", "1.5.11", "1.5.10", "1.5.9", "1.5.8", "1.5.7", "1.5.7.rc3", "1.5.7.rc2", "1.5.7.rc1", "1.5.6", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc3", "1.5.5.rc2", "1.5.5.rc1", "1.5.4", "1.5.4.rc3", "1.5.4.rc2", "1.5.4.rc1", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc4", "1.5.3.rc3", "1.5.3.rc2", "1.5.2", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.3", "1.5.0.beta.2", "1.5.0.beta.1", "1.4.7", "1.4.6", "1.4.5", "1.4.4.2", "1.4.4.1", "1.4.4", "1.4.3.1", "1.4.3", "1.4.2.1", "1.4.2", "1.4.1", "1.4.0", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4"]

Secure versions: [1.16.5]

Recommendation: Update to version 1.16.5.

Use-after-free in libxml2 via Nokogiri::XML::Reader

Published date: 2024-03-18T20:38:40Z

Links:

Summary

Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

Affected versions: ["1.16.0", "1.16.1", "1.11.0.rc3", "1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.4", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.10.0.rc1", "1.9.1", "1.9.0", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.2", "1.7.1", "1.7.0.1", "1.7.0", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.8.rc1", "1.6.7.2", "1.6.7.1", "1.6.7", "1.6.7.rc4", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.5", "1.6.4.1", "1.6.4", "1.6.3.1", "1.6.3", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2.1", "1.6.2", "1.6.2.rc3", "1.6.2.rc2", "1.6.2.rc1", "1.6.1", "1.6.0", "1.6.0.rc1", "1.5.11", "1.5.10", "1.5.9", "1.5.8", "1.5.7", "1.5.7.rc3", "1.5.7.rc2", "1.5.7.rc1", "1.5.6", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc3", "1.5.5.rc2", "1.5.5.rc1", "1.5.4", "1.5.4.rc3", "1.5.4.rc2", "1.5.4.rc1", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc4", "1.5.3.rc3", "1.5.3.rc2", "1.5.2", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.3", "1.5.0.beta.2", "1.5.0.beta.1", "1.4.7", "1.4.6", "1.4.5", "1.4.4.2", "1.4.4.1", "1.4.4", "1.4.3.1", "1.4.3", "1.4.2.1", "1.4.2", "1.4.1", "1.4.0", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5"]

Secure versions: [1.16.5]

Recommendation: Update to version 1.16.5.

Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Published date: 2024-05-13

Links:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
2024-05-13 08:30 EDT, nokogiri maintainers begin triage
2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

Secure versions: [1.16.5]

Recommendation: Update to version 1.16.5.

171 Other Versions

Version	License	Security	Released
1.16.5	MIT		2024-05-13 - 14:01	7 days
1.16.4	MIT	2	2024-04-10 - 18:17	about 1 month
1.16.3	MIT	2	2024-03-15 - 21:21	2 months
1.16.2	MIT	2	2024-02-04 - 16:52	4 months
1.16.1	MIT	4	2024-02-03 - 16:27	4 months
1.16.0	MIT	4	2023-12-28 - 00:08	5 months
1.16.0.rc1	MIT	3	2023-12-13 - 22:00	5 months
1.15.6	MIT	2	2024-03-16 - 13:14	2 months
1.15.5	MIT	3	2023-11-17 - 16:13	6 months
1.15.4	MIT	3	2023-08-11 - 19:25	9 months
1.15.3	MIT	3	2023-07-05 - 14:34	11 months
1.15.2	MIT	3	2023-05-24 - 13:31	12 months
1.15.1	MIT	3	2023-05-19 - 14:06	about 1 year
1.15.0	MIT	3	2023-05-15 - 19:57	about 1 year
1.14.5	MIT	4	2023-05-24 - 13:04	12 months
1.14.4	MIT	4	2023-05-11 - 18:12	about 1 year
1.14.3	MIT	4	2023-04-11 - 17:00	about 1 year
1.14.2	MIT	5	2023-02-13 - 17:41	over 1 year
1.14.1	MIT	5	2023-01-30 - 19:40	over 1 year
1.14.0	MIT	5	2023-01-12 - 21:52	over 1 year
1.14.0.rc1	MIT	5	2022-12-29 - 15:47	over 1 year
1.13.10	MIT	5	2022-12-08 - 02:47	over 1 year
1.13.9	MIT	7	2022-10-18 - 15:48	over 1 year
1.13.8	MIT	8	2022-07-23 - 15:50	almost 2 years
1.13.7	MIT	6	2022-07-12 - 14:56	almost 2 years
1.13.6	MIT	6	2022-05-08 - 14:34	about 2 years
1.13.5	MIT	8	2022-05-04 - 20:41	about 2 years
1.13.4	MIT	9	2022-04-11 - 20:44	about 2 years
1.13.3	MIT	18	2022-02-22 - 04:52	about 2 years
1.13.2	MIT	18	2022-02-21 - 18:52	about 2 years
1.13.1	MIT	21	2022-01-13 - 16:04	over 2 years
1.13.0	MIT	21	2022-01-06 - 20:53	over 2 years
1.12.5	MIT	21	2021-09-27 - 19:03	over 2 years
1.12.4	MIT	23	2021-08-29 - 21:18	over 2 years
1.12.3	MIT	23	2021-08-10 - 19:32	almost 3 years
1.12.2	MIT	23	2021-08-04 - 15:03	almost 3 years
1.12.1	MIT	23	2021-08-03 - 15:11	almost 3 years
1.12.0	MIT	23	2021-08-02 - 17:34	almost 3 years
1.12.0.rc1	MIT	23	2021-07-09 - 20:00	almost 3 years
1.11.7	MIT	23	2021-06-03 - 00:31	almost 3 years
1.11.6	MIT	23	2021-05-26 - 13:16	almost 3 years
1.11.5	MIT	23	2021-05-20 - 03:08	about 3 years
1.11.4	MIT	23	2021-05-14 - 23:30	about 3 years
1.11.3	MIT	30	2021-04-07 - 20:33	about 3 years
1.11.2	MIT	30	2021-03-11 - 15:56	about 3 years
1.11.1	MIT	30	2021-01-06 - 05:30	over 3 years
1.11.0	MIT	30	2021-01-04 - 04:20	over 3 years
1.11.0.rc4	MIT	30	2020-12-29 - 16:44	over 3 years
1.11.0.rc3	MIT	31	2020-09-08 - 13:26	over 3 years
1.11.0.rc2	MIT	31	2020-04-01 - 19:18	about 4 years
1.11.0.rc1	MIT	31	2020-02-03 - 13:54	over 4 years
1.10.10	MIT	32	2020-07-06 - 13:40	almost 4 years
1.10.9	MIT	32	2020-03-01 - 19:05	about 4 years
1.10.8	MIT	32	2020-02-10 - 19:44	over 4 years
1.10.7	MIT	34	2019-12-04 - 15:29	over 4 years
1.10.6	MIT	34	2019-12-04 - 00:44	over 4 years
1.10.5	MIT	34	2019-10-31 - 19:29	over 4 years
1.10.4	MIT	42	2019-08-11 - 19:25	almost 5 years
1.10.3	MIT	44	2019-04-22 - 17:10	about 5 years
1.10.2	MIT	46	2019-03-25 - 13:03	about 5 years
1.10.1	MIT	46	2019-01-13 - 06:30	over 5 years
1.10.0	MIT	46	2019-01-04 - 15:35	over 5 years
1.10.0.rc1	MIT	46	2019-01-03 - 15:05	over 5 years
1.9.1	MIT	46	2018-12-18 - 05:22	over 5 years
1.9.0	MIT	46	2018-12-17 - 15:21	over 5 years
1.9.0.rc1	MIT	46	2018-12-10 - 06:10	over 5 years
1.8.5	MIT	46	2018-10-05 - 01:14	over 5 years
1.8.4	MIT	48	2018-07-04 - 00:37	almost 6 years
1.8.3	MIT	48	2018-06-16 - 20:04	almost 6 years
1.8.2	MIT	50	2018-01-29 - 13:16	over 6 years
1.8.1	MIT	54	2017-09-19 - 16:12	over 6 years
1.8.0	MIT	58	2017-06-05 - 04:04	almost 7 years
1.7.2	MIT	58	2017-05-09 - 21:29	about 7 years
1.7.1	MIT	60	2017-03-20 - 03:39	about 7 years
1.7.0.1	MIT	62	2017-01-04 - 05:42	over 7 years
1.7.0	MIT	62	2016-12-27 - 03:49	over 7 years
1.6.8.1	MIT	62	2016-10-03 - 04:46	over 7 years
1.6.8	MIT	62	2016-06-07 - 00:04	almost 8 years
1.6.8.rc3	MIT	64	2016-02-17 - 06:33	over 8 years
1.6.8.rc2	MIT	64	2016-01-12 - 17:08	over 8 years
1.6.8.rc1	MIT	64	2015-12-17 - 07:28	over 8 years
1.6.7.2	MIT	64	2016-01-20 - 19:18	over 8 years
1.6.7.1	MIT	66	2015-12-17 - 05:08	over 8 years
1.6.7	MIT	68	2015-11-30 - 04:21	over 8 years
1.6.7.rc4	MIT	68	2015-11-22 - 22:56	over 8 years
1.6.7.rc3	MIT	69	2015-09-04 - 17:34	over 8 years
1.6.7.rc2	MIT	69	2015-08-31 - 13:51	over 8 years
1.6.6.4	MIT	68	2015-11-19 - 20:58	over 8 years
1.6.6.3	MIT	69	2015-11-17 - 00:02	over 8 years
1.6.6.2	MIT	69	2015-01-23 - 18:53	over 9 years
1.6.6.1	MIT	69	2015-01-22 - 18:42	over 9 years
1.6.5	MIT	69	2014-11-26 - 21:07	over 9 years
1.6.4.1	MIT	69	2014-11-07 - 03:03	over 9 years
1.6.4	MIT	69	2014-11-05 - 04:32	over 9 years
1.6.3.1	MIT	69	2014-07-22 - 01:35	almost 10 years
1.6.3	MIT	69	2014-07-20 - 18:57	almost 10 years
1.6.3.rc3	MIT	70	2014-06-21 - 20:31	almost 10 years
1.6.3.rc2	MIT	70	2014-06-17 - 17:04	almost 10 years
1.6.3.rc1	MIT	70	2014-05-22 - 19:23	almost 10 years
1.6.2.1	MIT	69	2014-05-14 - 01:21	about 10 years