Ruby/nokogiri/1.6.8.rc1
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2, libgumbo, or xerces.
https://rubygems.org/gems/nokogiri
MIT
64 Security Vulnerabilities
Nokogiri affected by libxslt Use of Uninitialized Resource/Use After Free vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2019-18197
- https://access.redhat.com/errata/RHSA-2020:0514
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
- https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
- https://lists.debian.org/debian-lts-announce/2019/10/msg00037.html
- https://security.netapp.com/advisory/ntap-20191031-0004/
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://usn.ubuntu.com/4164-1/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
- http://www.openwall.com/lists/oss-security/2019/11/17/2
- https://github.com/sparklemotion/nokogiri/issues/1943
- https://github.com/sparklemotion/nokogiri/blob/01ab95f3e37429ed8d3b380a8d2f73902eb325d9/CHANGELOG.md?plain=1#L934
- https://github.com/advisories/GHSA-242x-7cm6-4w8j
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-18197.yml
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.
Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.
Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing
- https://nvd.nist.gov/vuln/detail/CVE-2021-3537
- https://bugzilla.redhat.com/show_bug.cgi?id=1956522
- https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
- https://security.gentoo.org/glsa/202107-05
- https://security.netapp.com/advisory/ntap-20210625-0002/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/sparklemotion/nokogiri/blob/2edbbef95f1dc12c1ddc5ebda71b9159026245fe/CHANGELOG.md?plain=1#L722
- https://github.com/advisories/GHSA-286v-pcf5-25rc
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-3537.yml
- https://nokogiri.org/CHANGELOG.html#1114-2021-05-14
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Summary
Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to v2.10.3 from v2.9.14.
libxml2 v2.10.3 addresses the following known vulnerabilities:
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.9
, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2
release announcements.
Mitigation
Upgrade to Nokogiri >= 1.13.9
.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.3
which will also address these same issues.
Impact
libxml2 CVE-2022-2309
- CVSS3 score: Under evaluation
- Type: Denial of service
- Description: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
Nokogiri maintainers investigated at #2620 and determined this CVE does not affect Nokogiri users.
libxml2 CVE-2022-40304
- CVSS3 score: Unspecified upstream
- Type: Data corruption, denial of service
- Description: When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees.
See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2
libxml2 CVE-2022-40303
- CVSS3 score: Unspecified upstream
- Type: Integer overflow
- Description: Integer overflows with XMLPARSEHUGE
See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0
References
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
- https://nvd.nist.gov/vuln/detail/CVE-2021-41098
- https://github.com/advisories/GHSA-2rr5-8q37-2w7h
- https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-41098.yml
Severity
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)
Impact
In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.
Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:
- Nokogiri::XML::SAX::Parser
- Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
- Nokogiri::XML::SAX::PushParser
- Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser
Mitigation
JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.
CRuby users are not affected.
Uninitialized read in Nokogiri gem
- https://nvd.nist.gov/vuln/detail/CVE-2019-13117
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471
- https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ/
- https://oss-fuzz.com/testcase-detail/5631739747106816
- https://security.netapp.com/advisory/ntap-20190806-0004/
- https://security.netapp.com/advisory/ntap-20200122-0003/
- https://usn.ubuntu.com/4164-1/
- https://www.oracle.com/security-alerts/cpujan2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
- http://www.openwall.com/lists/oss-security/2019/11/17/2
- https://github.com/sparklemotion/nokogiri/issues/1943
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml
- https://github.com/advisories/GHSA-4hm9-844j-jmxp
In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
Nokogiri has vulnerable dependencies on libxml2 and libxslt
- https://nvd.nist.gov/vuln/detail/CVE-2021-30560
- https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html
- https://crbug.com/1219209
- https://www.debian.org/security/2022/dsa-5216
- https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-30560.yml
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2
- https://github.com/advisories/GHSA-59gp-qqm7-cw4j
- https://security.gentoo.org/glsa/202310-23
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Nokogiri NULL Pointer Dereference
- https://nvd.nist.gov/vuln/detail/CVE-2018-14404
- https://github.com/advisories/GHSA-6qvp-r6r3-9p7h
- https://access.redhat.com/errata/RHSA-2019:1543
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
- https://bugzilla.redhat.com/show_bug.cgi?id=1595985
- https://gitlab.gnome.org/GNOME/libxml2/issues/10
- https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html
- https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
- https://security.netapp.com/advisory/ntap-20190719-0002/
- https://usn.ubuntu.com/3739-1/
- https://usn.ubuntu.com/3739-2/
- https://github.com/sparklemotion/nokogiri/issues/1785
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-14404.yml
A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval()
function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND
or XPATH_OP_OR
case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.
libxml as used in Nokogiri has an infinite loop in a certain end-of-file situation
- https://nvd.nist.gov/vuln/detail/CVE-2020-7595
- https://github.com/advisories/GHSA-7553-jr98-vx47
- https://github.com/sparklemotion/nokogiri/issues/1992
- https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/
- https://usn.ubuntu.com/4274-1/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html
- https://security.netapp.com/advisory/ntap-20200702-0005/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf
- https://security.gentoo.org/glsa/202010-04
- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-7595.yml
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched its vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.
Denial of service or RCE from libxml2 and libxslt
- https://nvd.nist.gov/vuln/detail/CVE-2015-8806
- https://github.com/advisories/GHSA-7hp2-xwpj-95jq
- https://bugzilla.gnome.org/show_bug.cgi?id=749115
- https://security.gentoo.org/glsa/201701-37
- https://www.debian.org/security/2016/dsa-3593
- http://www.openwall.com/lists/oss-security/2016/02/03/5
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/82071
- http://www.ubuntu.com/usn/USN-2994-1
- https://github.com/sparklemotion/nokogiri/issues/1473
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-8806.yml
- https://web.archive.org/web/20160928171015/http://www.securityfocus.com/bid/82071
Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.
Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.12
Summary
Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses:
- CVE-2019-20388 (Medium severity)
- CVE-2020-24977 (Medium severity)
- CVE-2021-3517 (Medium severity)
- CVE-2021-3518 (Medium severity)
- CVE-2021-3537 (Low severity)
- CVE-2021-3541 (Low severity)
Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint
is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.11.4
, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2
release announcements.
Mitigation
Upgrade to Nokogiri >= 1.11.4
.
Impact
I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete.
All information below is sourced from security.archlinux.org, which appears to have the most up-to-date information as of this analysis.
CVE-2019-20388
- Severity: Medium
- Type: Denial of service
- Description: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service.
- Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.
CVE-2020-7595
- Severity: Medium
- Type: Denial of service
- Description: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
- Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5
This has been patched in Nokogiri since v1.10.8 (see #1992).
CVE-2020-24977
- Severity: Medium
- Type: Information disclosure
- Description: GNOME project libxml2 <= 2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.
- Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.
CVE-2021-3516
- Severity: Medium
- Type: Arbitrary code execution (no remote vector)
- Description: A use-after-free security issue was found libxml2 before version 2.9.11 when
xmllint --html --push
is used to process crafted files. - Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230
- Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539
Verified that the fix commit first appears in v2.9.11. This vector does not exist within Nokogiri, which does not ship xmllint
.
CVE-2021-3517
- Severity: Medium
- Type: Arbitrary code execution
- Description: A heap-based buffer overflow was found in libxml2 before version 2.9.11 when processing truncated UTF-8 input.
- Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
- Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.
CVE-2021-3518
- Severity: Medium
- Type: Arbitrary code execution
- Description: A use-after-free security issue was found in libxml2 before version 2.9.11 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files.
- Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237
- Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.
CVE-2021-3537
- Severity: Low
- Type: Denial of service
- Description: It was found that libxml2 before version 2.9.11 did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application.
- Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243
- Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.
CVE-2021-3541
- Severity: Low
- Type: Denial of service
- Description: A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
- Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into DTDLOAD
which is off by default).
For more details supporting this analysis of this CVE, please visit #2233.
Uncontrolled resource consumption in nokogiri
- https://nvd.nist.gov/vuln/detail/CVE-2017-18258
- https://github.com/advisories/GHSA-882p-jqgm-f45g
- https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
- https://kc.mcafee.com/corporate/index?page=content&id=SB10284
- https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html
- https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
- https://security.netapp.com/advisory/ntap-20190719-0001/
- https://usn.ubuntu.com/3739-1/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-18258.yml
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
Out-of-bounds read in nokogiri
- https://nvd.nist.gov/vuln/detail/CVE-2017-9050
- https://github.com/advisories/GHSA-8c56-cpmw-89x7
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://security.gentoo.org/glsa/201711-01
- http://www.debian.org/security/2017/dsa-3952
- http://www.openwall.com/lists/oss-security/2017/05/15/1
- http://www.securityfocus.com/bid/98568
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839. GitHub is notifying on nokogiri as uses libxml2.
libxslt Type Confusion vulnerability that affects Nokogiri
- https://nvd.nist.gov/vuln/detail/CVE-2019-13118
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069
- https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ/
- https://oss-fuzz.com/testcase-detail/5197371471822848
- https://seclists.org/bugtraq/2019/Aug/21
- https://seclists.org/bugtraq/2019/Aug/22
- https://seclists.org/bugtraq/2019/Aug/23
- https://seclists.org/bugtraq/2019/Aug/25
- https://seclists.org/bugtraq/2019/Jul/35
- https://seclists.org/bugtraq/2019/Jul/36
- https://seclists.org/bugtraq/2019/Jul/37
- https://seclists.org/bugtraq/2019/Jul/40
- https://seclists.org/bugtraq/2019/Jul/41
- https://seclists.org/bugtraq/2019/Jul/42
- https://security.netapp.com/advisory/ntap-20190806-0004/
- https://security.netapp.com/advisory/ntap-20200122-0003/
- https://support.apple.com/kb/HT210346
- https://support.apple.com/kb/HT210348
- https://support.apple.com/kb/HT210351
- https://support.apple.com/kb/HT210353
- https://support.apple.com/kb/HT210356
- https://support.apple.com/kb/HT210357
- https://support.apple.com/kb/HT210358
- https://usn.ubuntu.com/4164-1/
- https://www.oracle.com/security-alerts/cpujan2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
- http://seclists.org/fulldisclosure/2019/Aug/11
- http://seclists.org/fulldisclosure/2019/Aug/13
- http://seclists.org/fulldisclosure/2019/Aug/14
- http://seclists.org/fulldisclosure/2019/Aug/15
- http://seclists.org/fulldisclosure/2019/Jul/22
- http://seclists.org/fulldisclosure/2019/Jul/23
- http://seclists.org/fulldisclosure/2019/Jul/24
- http://seclists.org/fulldisclosure/2019/Jul/26
- http://seclists.org/fulldisclosure/2019/Jul/31
- http://seclists.org/fulldisclosure/2019/Jul/37
- http://seclists.org/fulldisclosure/2019/Jul/38
- http://www.openwall.com/lists/oss-security/2019/11/17/2
- https://github.com/sparklemotion/nokogiri/issues/1943
- https://github.com/sparklemotion/nokogiri/commit/43a175339b47b8c604508813fc75b83f13cd173e
- https://github.com/sparklemotion/nokogiri/blob/f7aa3b0b29d6fe5fafe93dacd9b96b6b3d16b7ec/CHANGELOG.md?plain=1#L796
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.10.5
- https://github.com/advisories/GHSA-cf46-6xxh-pc75
In numbers.c
in libxslt 1.1.33, a type holding grouping characters of an xsl:number
instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal
, leading to a read of uninitialized stack data.
Nokogiri prior to version 1.10.5 used a vulnerable version of libxslt. Nokogiri 1.10.5 updated libxslt to version 1.1.34 to address this and other vulnerabilities in libxslt.
Integer Overflow or Wraparound in libxml2 affects Nokogiri
Summary
Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to v2.9.14.
libxml2 v2.9.14 addresses CVE-2022-29824. This version also includes several security-related bug fixes for which CVEs were not created, including a potential double-free, potential memory leaks, and integer-overflow.
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.5
, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2
and libxslt
release announcements.
Mitigation
Upgrade to Nokogiri >= 1.13.5
.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.9.14
which will also address these same issues.
Impact
libxml2 CVE-2022-29824
- CVSS3 score:
- Unspecified upstream
- Nokogiri maintainers evaluate at 8.6 (High) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). Note that this is different from the CVSS assessed by NVD.
- Type: Denial of service, information disclosure
- Description: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf) and tree.c (xmlBuffer) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
- Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24
All versions of libml2 prior to v2.9.14 are affected.
Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.
References
- libxml2 v2.9.14 release notes
- CVE-2022-29824
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
Nokogiri Command Injection Vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2019-5477
- https://github.com/advisories/GHSA-cr5j-953j-xw5p
- https://github.com/sparklemotion/nokogiri/issues/1915
- https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
- https://hackerone.com/reports/650835
- https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html
- https://security.gentoo.org/glsa/202006-05
- https://usn.ubuntu.com/4175-1/
- https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
- https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html
- https://github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dc
- https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexical/CVE-2019-5477.yml
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open
method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file
is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
Nokogiri Inefficient Regular Expression Complexity
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
- https://nvd.nist.gov/vuln/detail/CVE-2022-24836
- https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
- https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
- https://github.com/advisories/GHSA-crjr-9rc5-ghw8
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/
- https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/
- https://security.gentoo.org/glsa/202208-29
- https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
- https://support.apple.com/kb/HT213532
- http://seclists.org/fulldisclosure/2022/Dec/23
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml
Summary
Nokogiri < v1.13.4
contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.
Mitigation
Upgrade to Nokogiri >= 1.13.4
.
Severity
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
CWE-1333 Inefficient Regular Expression Complexity
Credit
This vulnerability was reported by HackerOne user ooooooo_q (ななおく).
Nokogiri does not forbid namespace nodes in XPointer ranges
- https://nvd.nist.gov/vuln/detail/CVE-2016-4658
- https://github.com/advisories/GHSA-fr52-4hqw-p27f
- https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b
- https://security.gentoo.org/glsa/201701-37
- https://support.apple.com/HT207141
- https://support.apple.com/HT207142
- https://support.apple.com/HT207143
- https://support.apple.com/HT207170
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html
- http://www.securityfocus.com/bid/93054
- http://www.securitytracker.com/id/1036858
- http://www.securitytracker.com/id/1038623
xpointer.c in libxml2 before 2.9.5 (as used in nokogiri before 1.7.1 amongst other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
Nokogiri affected by zlib's Out-of-bounds Write vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2018-25032
- https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
- https://www.openwall.com/lists/oss-security/2022/03/24/1
- http://www.openwall.com/lists/oss-security/2022/03/25/2
- http://www.openwall.com/lists/oss-security/2022/03/26/1
- https://github.com/madler/zlib/issues/605
- https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
- https://www.openwall.com/lists/oss-security/2022/03/28/1
- https://www.openwall.com/lists/oss-security/2022/03/28/3
- https://www.debian.org/security/2022/dsa-5111
- https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/
- https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213257
- http://seclists.org/fulldisclosure/2022/May/33
- http://seclists.org/fulldisclosure/2022/May/35
- http://seclists.org/fulldisclosure/2022/May/38
- https://security.netapp.com/advisory/ntap-20220526-0009/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://security.netapp.com/advisory/ntap-20220729-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/
- https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html
- https://security.gentoo.org/glsa/202210-42
- https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-25032.yml
- https://github.com/advisories/GHSA-jc36-42cf-vqwj
zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Nokogiri contains libxml Out-of-bounds Write vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2021-3517
- https://bugzilla.redhat.com/show_bug.cgi?id=1954232
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
- https://security.gentoo.org/glsa/202107-05
- https://security.netapp.com/advisory/ntap-20210625-0002/
- https://security.netapp.com/advisory/ntap-20211022-0004/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/sparklemotion/nokogiri/issues/2233
- https://github.com/sparklemotion/nokogiri/issues/2274
- https://github.com/sparklemotion/nokogiri/blob/7c19ef5cc6b7c5c36827dd5495f857c6877ec8cf/CHANGELOG.md?plain=1#L579
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
- https://github.com/advisories/GHSA-jw9f-hh49-cvp9
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-3517.yml
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
Nokogiri prior to version 1.11.4 used a vulnerable version of libxml2. Nokogiri 1.11.4 updated libxml2 to version 2.9.11 to address this and other vulnerabilities in libxml2.
Nokogiri implementation of libxslt lacks integer overflow checks
- https://nvd.nist.gov/vuln/detail/CVE-2017-5029
- https://github.com/advisories/GHSA-pf6m-fxpq-fg8v
- https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html
- https://crbug.com/676623
- https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5
- http://rhn.redhat.com/errata/RHSA-2017-0499.html
- http://www.debian.org/security/2017/dsa-3810
- http://www.securityfocus.com/bid/96767
- http://www.securitytracker.com/id/1038157
- https://github.com/sparklemotion/nokogiri/issues/1634
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-5029.yml
- https://ubuntu.com/security/CVE-2017-5029
- https://ubuntu.com/security/notices/USN-3271-1
The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Nokogiri prior to 1.7.2, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
Nokogiri vulnerable to libxslt protection mechanism bypass
- https://nvd.nist.gov/vuln/detail/CVE-2019-11068
- https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
- https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
- https://security.netapp.com/advisory/ntap-20191017-0001/
- https://usn.ubuntu.com/3947-1/
- https://usn.ubuntu.com/3947-2/
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
- http://www.openwall.com/lists/oss-security/2019/04/22/1
- http://www.openwall.com/lists/oss-security/2019/04/23/5
- https://github.com/sparklemotion/nokogiri/issues/1892
- https://github.com/sparklemotion/nokogiri/pull/1898
- https://github.com/sparklemotion/nokogiri/commit/fe034aedcc59b566740567d621843731686676b9
- https://github.com/sparklemotion/nokogiri/blob/f7aa3b0b29d6fe5fafe93dacd9b96b6b3d16b7ec/CHANGELOG.md?plain=1#L826
- https://github.com/advisories/GHSA-qxcg-xjjg-66mj
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-11068.yml
A dependency of Nokogiri, libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead
and xsltCheckWrite
permit access even upon receiving a -1
error code. xsltCheckRead
can return -1
for a crafted URL that is not actually invalid and is subsequently loaded.
Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-r95h-9x8f-r3f7. This link is maintained to preserve external references.
Original Description
Summary
Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.
libxml2 v2.12.7 addresses CVE-2024-34459:
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53
Impact
There is no impact to Nokogiri users because the issue is present only
in libxml2's xmllint
tool which Nokogiri does not provide or expose.
Timeline
- 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
- 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
- 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public
Nokogiri gem, via libxml, is affected by DoS vulnerabilities
- https://nvd.nist.gov/vuln/detail/CVE-2017-15412
- https://access.redhat.com/errata/RHSA-2017:3401
- https://access.redhat.com/errata/RHSA-2018:0287
- https://bugzilla.gnome.org/show_bug.cgi?id=783160
- https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html
- https://crbug.com/727039
- https://lists.debian.org/debian-lts-announce/2017/12/msg00014.html
- https://security.gentoo.org/glsa/201801-03
- https://www.debian.org/security/2018/dsa-4086
- https://github.com/sparklemotion/nokogiri/issues/1714
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-15412.yml
- https://web.archive.org/web/20201208155618/http://www.securitytracker.com/id/1040348
- https://github.com/advisories/GHSA-r58r-74gx-6wx3
Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Nokogiri Implements libxml2 version vulnerable to use-after-free
- https://nvd.nist.gov/vuln/detail/CVE-2021-3518
- https://bugzilla.redhat.com/show_bug.cgi?id=1954242
- https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
- https://security.gentoo.org/glsa/202107-05
- https://security.netapp.com/advisory/ntap-20210625-0002/
- https://github.com/sparklemotion/nokogiri/blob/2edbbef95f1dc12c1ddc5ebda71b9159026245fe/CHANGELOG.md?plain=1#L722
- https://github.com/advisories/GHSA-v4f8-2847-rwm7
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-3518.yml
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://nokogiri.org/CHANGELOG.html#1114-2021-05-14
- https://support.apple.com/kb/HT212601
- https://support.apple.com/kb/HT212602
- https://support.apple.com/kb/HT212604
- https://support.apple.com/kb/HT212605
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://seclists.org/fulldisclosure/2021/Jul/54
- http://seclists.org/fulldisclosure/2021/Jul/55
- http://seclists.org/fulldisclosure/2021/Jul/58
- http://seclists.org/fulldisclosure/2021/Jul/59
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
Use-after-free in libxml2 via Nokogiri::XML::Reader
Summary
Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4
libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
JRuby users are not affected.
Severity
The Nokogiri maintainers have evaluated this as Moderate.
Impact
From the CVE description, this issue applies to the xmlTextReader
module (which underlies
Nokogiri::XML::Reader
):
When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Mitigation
Upgrade to Nokogiri ~> 1.15.6
or >= 1.16.2
.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.
Nokogiri implementation of libxslt vulnerable to heap corruption
- https://nvd.nist.gov/vuln/detail/CVE-2019-5815
- https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b
- https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
- https://github.com/sparklemotion/nokogiri/issues/2630
- https://github.com/advisories/GHSA-vmfx-gcfq-wvm2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5815.yml
Type confusion in xsltNumberFormatGetMultipleLevel
prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.
Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
- https://nvd.nist.gov/vuln/detail/CVE-2020-26247
- https://github.com/advisories/GHSA-vr8q-g5c7-m54m
- https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
- https://hackerone.com/reports/747489
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
- https://rubygems.org/gems/nokogiri
- https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03
- https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
- https://security.gentoo.org/glsa/202208-29
- https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml
Severity
Nokogiri maintainers have evaluated this as Low Severity (CVSS3 2.6).
Description
In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema
are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.
This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.
Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be Low Severity
.
Affected Versions
Nokogiri <= 1.10.10
as well as prereleases 1.11.0.rc1
, 1.11.0.rc2
, and 1.11.0.rc3
Mitigation
There are no known workarounds for affected versions. Upgrade to Nokogiri 1.11.0.rc4
or later.
If, after upgrading to 1.11.0.rc4
or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior):
- Ensure the input is trusted. Do not enable this option for untrusted input.
- When invoking the
Nokogiri::XML::Schema
constructor, pass as the second parameter an instance ofNokogiri::XML::ParseOptions
with theNONET
flag turned off.
So if your previous code was:
# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)
# in v1.11.0.rc4 and later, the following is equivalent to the code above
# (the second parameter is optional, and this demonstrates its default value)
schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)
Then you can add the second parameter to indicate that the input is trusted by changing it to:
# in v1.11.0.rc3 and earlier, this would raise an ArgumentError
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)
References
- This issue's public advisory
- Original Hackerone report (private)
- OWASP description of XXE attack
- OWASP description of SSRF attack
Credit
This vulnerability was independently reported by @eric-therond and @gucki.
The Nokogiri maintainers would like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to us.
Nokogiri gem, via libxml, is affected by DoS vulnerabilities
- https://nvd.nist.gov/vuln/detail/CVE-2017-16932
- https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961
- https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html
- https://bugzilla.gnome.org/show_bug.cgi?id=759579
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
- https://usn.ubuntu.com/3739-1/
- http://xmlsoft.org/news.html
- https://github.com/sparklemotion/nokogiri/issues/1714
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-16932.yml
- https://github.com/advisories/GHSA-x2fm-93ww-ggvx
parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.
Cross-site Scripting in loofah
- https://nvd.nist.gov/vuln/detail/CVE-2018-8048
- https://github.com/flavorjones/loofah/issues/144
- https://github.com/advisories/GHSA-x7rv-cr6v-4vm4
- https://security.netapp.com/advisory/ntap-20191122-0003/
- https://www.debian.org/security/2018/dsa-4171
- http://www.openwall.com/lists/oss-security/2018/03/19/5
- https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116
- https://github.com/sparklemotion/nokogiri/pull/1746
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2018-8048.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Users are affected if running Loofah < 2.2.1, but only:
- when running on MRI or RBX,
- in combination with libxml2 >= 2.9.2.
JRuby users are not affected.
Nokogiri Improperly Handles Unexpected Data Type
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
- https://nvd.nist.gov/vuln/detail/CVE-2022-29181
- https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6
- https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri/
- https://github.com/advisories/GHSA-xh29-r2w5-wx8m
- https://security.gentoo.org/glsa/202208-29
- https://support.apple.com/kb/HT213532
- http://seclists.org/fulldisclosure/2022/Dec/23
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-29181.yml
Summary
Nokogiri < v1.13.6
does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory.
Severity
The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).
Mitigation
CRuby users should upgrade to Nokogiri >= 1.13.6
.
JRuby users are not affected.
Workarounds
To avoid this vulnerability in affected applications, ensure the untrusted input is a String
by calling #to_s
or equivalent.
Credit
This vulnerability was responsibly reported by @agustingianni and the Github Security Lab.
Denial of service or RCE from libxml2 and libxslt
Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.
For more information, the Ubuntu Security Notice is a good start: http://www.ubuntu.com/usn/usn-2994-1/
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:
CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
CVE-2016-5131 CVSS v3 Base Score: 8.8 (HIGH) Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.
Nokogiri gem, via libxml, is affected by DoS vulnerabilities
The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6.
It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.
Nokogiri gem, via libxml, is affected by DoS vulnerabilities
The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5.
Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.
Moderate severity vulnerability that affects nokogiri
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
References: - https://nvd.nist.gov/vuln/detail/CVE-2017-18258 - https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb - https://github.com/advisories/GHSA-882p-jqgm-f45g - https://kc.mcafee.com/corporate/index?page=content&id=SB10284 - https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html - https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html - https://security.netapp.com/advisory/ntap-20190719-0001/ - https://usn.ubuntu.com/3739-1/
Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
nokogiri version 1.7.2 has been released.
This is a security update based on 1.7.1, addressing two upstream
libxslt 1.1.29 vulnerabilities classified as Medium
by Canonical
and given a CVSS3 score of 6.5 Medium
and 8.8 High
by RedHat.
These patches only apply when using Nokogiri's vendored libxslt package. If you're using your distro's system libraries, there's no need to upgrade from 1.7.0.1 or 1.7.1 at this time.
Full details are available at the github issue linked to in the changelog below.
1.7.2 / 2017-05-09
Security Notes
[MRI] Upstream libxslt patches are applied to the vendored libxslt 1.1.29 which address CVE-2017-5029 and CVE-2016-4738.
For more information:
- https://github.com/sparklemotion/nokogiri/issues/1634
- http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
- http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml 2.9.5.
It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663)
It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375)
It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376)
Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-9047)
Marcel Böhme and Van-Thuan Pham discovered a buffer overread in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service. (CVE-2017-9048)
Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads in libxml2 when handling parameter-entity references. An attacker could use these to specially construct XML data that could cause a denial of service. (CVE-2017-9049, CVE-2017-9050)
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Nokogiri 1.8.5 has been released.
This is a security and bugfix release. It addresses two CVEs in upstream
libxml2 rated as medium
by Red Hat, for which details are below.
If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
Full details about the security update are available in Github Issue #1785.
[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
CVE-2018-14404
Permalink:
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html
Description:
A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATHOPAND or XPATHOPOR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application
Canonical rates this vulnerability as Priority: Medium
CVE-2018-14567
Permalink:
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html
Description:
infinite loop in LZMA decompression
Canonical rates this vulnerability as Priority: Medium
Out-of-bounds Write in zlib affects Nokogiri
Summary
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11
to 1.2.12, which addresses CVE-2018-25032.
That CVE is scored as CVSS 7.4 High
on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.4
, and only if the packaged version of zlib
is being used.
Please see this document
for a complete description of which platform gems vendor zlib
. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's zlib
release announcements.
Mitigation
Upgrade to Nokogiri >= v1.13.4
.
Impact
CVE-2018-25032 in zlib
- Severity: High
- Type: CWE-787 Out of bounds write
- Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Revert libxml2 behavior in Nokogiri gem that could cause XSS
[MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:
https://github.com/GNOME/libxml2/commit/960f0e2
and more information is available about this commit and its impact here:
https://github.com/flavorjones/loofah/issues/144
This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities.
If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here:
https://bugzilla.gnome.org/show_bug.cgi?id=769760
Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Nokogiri v1.10.3 has been released.
This is a security release. It addresses a CVE in upstream libxslt rated as
Priority: medium
by Canonical, and NVD Severity: high
by Debian. More
details are available below.
If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.
Full details about the security update are available in Github Issue [#1892] https://github.com/sparklemotion/nokogiri/issues/1892.
CVE-2019-11068
Permalinks are: - Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068 - Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068
Description:
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
Canonical rates this as Priority: Medium
.
Debian rates this as NVD Severity: High (attack range: remote)
.
Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Nokogiri v1.10.5 has been released.
This is a security release. It addresses three CVEs in upstream libxml2, for which details are below.
If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses these vulnerabilities.
Full details about the security update are available in Github Issue [#1943] https://github.com/sparklemotion/nokogiri/issues/1943.
CVE-2019-13117
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html
Priority: Low
Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
CVE-2019-13118
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html
Priority: Low
Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data
Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
CVE-2019-18197
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html
Priority: Medium
Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.
Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
libxslt Type Confusion vulnerability that affects Nokogiri
In numbers.c
in libxslt 1.1.33, a type holding grouping characters of an xsl:number
instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal
, leading to a read of uninitialized stack data.
Nokogiri prior to version 1.10.5 used a vulnerable version of libxslt. Nokogiri 1.10.5 updated libxslt to version 1.1.34 to address this and other vulnerabilities in libxslt.
Nokogiri affected by libxslt Use of Uninitialized Resource/ Use After Free vulnerability
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.
Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
commands to be executed in a subprocess by Ruby's Kernel.open
method.
Processes are vulnerable only if the undocumented method
Nokogiri::CSS::Tokenizer#load_file
is being passed untrusted user input.
This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method
Nokogiri::CSS::Tokenizer#load_file
with untrusted user input.
Nokogiri implementation of libxslt vulnerable to heap corruption
Type confusion in xsltNumberFormatGetMultipleLevel
prior to
libxslt 1.1.33 could allow attackers to potentially exploit heap
corruption via crafted XML data.
Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Description
In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema
are trusted by default, allowing external resources to be accessed over the
network, potentially enabling XXE or SSRF attacks.
This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.
Please note that this security
fix was pushed into a new minor version, 1.11.x, rather than a patch release to
the 1.10.x branch, because it is a breaking change for some schemas and the risk
was assessed to be Low Severity
.
Affected Versions
Nokogiri <= 1.10.10
as well as prereleases 1.11.0.rc1
, 1.11.0.rc2
, and 1.11.0.rc3
Mitigation
There are no known workarounds for affected versions. Upgrade to Nokogiri
1.11.0.rc4
or later.
If, after upgrading to 1.11.0.rc4
or later, you wish
to re-enable network access for resolution of external resources (i.e., return to
the previous behavior):
- Ensure the input is trusted. Do not enable this option for untrusted input.
- When invoking the
Nokogiri::XML::Schema
constructor, pass as the second parameter an instance ofNokogiri::XML::ParseOptions
with theNONET
flag turned off.
So if your previous code was:
# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)
# in v1.11.0.rc4 and later, the following is equivalent to the code above
# (the second parameter is optional, and this demonstrates its default value)
schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)
Then you can add the second parameter to indicate that the input is trusted by changing it to:
# in v1.11.0.rc3 and earlier, this would raise an ArgumentError
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8
CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.
Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Summary
Nokogiri v1.13.2 upgrades two of its packaged dependencies:
- vendored libxml2 from v2.9.12 to v2.9.13
- vendored libxslt from v1.1.34 to v1.1.35
Those library versions address the following upstream CVEs:
- libxslt: CVE-2021-30560 (CVSS 8.8, High severity)
- libxml2: CVE-2022-23308 (Unspecified severity, see more information below)
Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.
Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's libxml2
and libxslt
release announcements.
Mitigation
Upgrade to Nokogiri >= 1.13.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.
Impact
- libxslt CVE-2021-30560
- CVSS3 score: 8.8 (High)
Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c
All versions of libxslt prior to v1.1.35 are affected.
Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.
libxml2 CVE-2022-23308 * As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. * Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 * Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html
The upstream commit and the explanation linked above indicate that an application
may be vulnerable to a denial of service, memory disclosure, or code execution if
it parses an untrusted document with parse options DTDVALID
set to true, and NOENT
set to false.
An analysis of these parse options:
- While
NOENT
is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. DTDVALID
is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.
It seems reasonable to assume that any application explicitly setting the parse
option DTDVALID
when parsing untrusted documents is vulnerable and should be
upgraded immediately.
Nokogiri contains libxml Out-of-bounds Write vulnerability
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
Nokogiri prior to version 1.11.4 used a vulnerable version of libxml2. Nokogiri 1.11.4 updated libxml2 to version 2.9.11 to address this and other vulnerabilities in libxml2.
Nokogiri Implements libxml2 version vulnerable to use-after-free
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Severity
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)
Impact
In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.
Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:
- Nokogiri::XML::SAX::Parser
- Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
- Nokogiri::XML::SAX::PushParser
- Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser
Mitigation
JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.
CRuby users are not affected.
XML Injection in Xerces Java affects Nokogiri
Summary
Nokogiri v1.13.4 updates the vendored xerces:xercesImpl
from 2.12.0 to
2.12.2, which addresses CVE-2022-23437.
That CVE is scored as CVSS 6.5 Medium
on the NVD record.
Please note that this advisory only applies to the JRuby implementation
of Nokogiri < 1.13.4
.
Mitigation
Upgrade to Nokogiri >= v1.13.4
.
Impact
CVE-2022-23437 in xerces-J
- Severity: Medium
- Type: CWE-91 XML Injection (aka Blind XPath Injection)
- Description: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
- See also: https://github.com/advisories/GHSA-h65f-jvqw-m9fj
Inefficient Regular Expression Complexity in Nokogiri
Summary
Nokogiri < v1.13.4
contains an inefficient regular expression that is
susceptible to excessive backtracking when attempting to detect encoding
in HTML documents.
Mitigation
Upgrade to Nokogiri >= 1.13.4
.
Denial of Service (DoS) in Nokogiri on JRuby
Summary
Nokogiri v1.13.4
updates the vendored org.cyberneko.html
library to
1.9.22.noko2
which addresses CVE-2022-24839.
That CVE is rated 7.5 (High Severity).
See GHSA-9849-p7jc-9rmv for more information.
Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4
.
Mitigation
Upgrade to Nokogiri >= 1.13.4
.
Impact
CVE-2022-24839 in nekohtml
- Severity: High 7.5
- Type: CWE-400 Uncontrolled Resource Consumption
- Description: The fork of
org.cyberneko.html
used by Nokogiri (Rubygem) raises ajava.lang.OutOfMemoryError
exception when parsing ill-formed HTML markup. - See also: GHSA-9849-p7jc-9rmv
Improper Handling of Unexpected Data Type in Nokogiri
Summary
Nokogiri < v1.13.6
does not type-check all inputs into the XML and HTML4 SAX parsers.
For CRuby users, this may allow specially crafted untrusted inputs to cause illegal
memory access errors (segfault) or reads from unrelated memory.
Severity
The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).
Mitigation
CRuby users should upgrade to Nokogiri >= 1.13.6
.
JRuby users are not affected.
Workarounds
To avoid this vulnerability in affected applications, ensure the untrusted input is a
String
by calling #to_s
or equivalent.
Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Summary
Nokogiri v1.13.2 upgrades two of its packaged dependencies:
- vendored libxml2 from v2.9.12 to v2.9.13
- vendored libxslt from v1.1.34 to v1.1.35
Those library versions address the following upstream CVEs:
- libxslt: CVE-2021-30560 (CVSS 8.8, High severity)
- libxml2: CVE-2022-23308 (Unspecified severity, see more information below)
Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.
Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's libxml2
and libxslt
release announcements.
Mitigation
Upgrade to Nokogiri >= 1.13.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.
Impact
- libxslt CVE-2021-30560
- CVSS3 score: 8.8 (High)
Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c
All versions of libxslt prior to v1.1.35 are affected.
Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.
libxml2 CVE-2022-23308 * As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. * Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 * Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html
The upstream commit and the explanation linked above indicate that an application
may be vulnerable to a denial of service, memory disclosure, or code execution if
it parses an untrusted document with parse options DTDVALID
set to true, and NOENT
set to false.
An analysis of these parse options:
- While
NOENT
is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. DTDVALID
is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.
It seems reasonable to assume that any application explicitly setting the parse
option DTDVALID
when parsing untrusted documents is vulnerable and should be
upgraded immediately.
Denial of Service (DoS) in Nokogiri on JRuby
Summary
Nokogiri v1.13.4
updates the vendored org.cyberneko.html
library to
1.9.22.noko2
which addresses CVE-2022-24839.
That CVE is rated 7.5 (High Severity).
See GHSA-9849-p7jc-9rmv for more information.
Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4
.
Mitigation
Upgrade to Nokogiri >= 1.13.4
.
Impact
CVE-2022-24839 in nekohtml
- Severity: High 7.5
- Type: CWE-400 Uncontrolled Resource Consumption
- Description: The fork of
org.cyberneko.html
used by Nokogiri (Rubygem) raises ajava.lang.OutOfMemoryError
exception when parsing ill-formed HTML markup. - See also: GHSA-9849-p7jc-9rmv
Update packaged libxml2 to v2.10.4 to resolve multiple CVEs
Summary
Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.
libxml2 v2.10.4 addresses the following known vulnerabilities:
- CVE-2023-29469: Hashing of empty dict strings isn't deterministic
- CVE-2023-28484: Fix null deref in xmlSchemaFixupComplexType
- Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3
,
and only if the packaged libraries are being used. If you've overridden defaults at installation
time to use system libraries instead of packaged libraries, you should instead pay attention to
your distro's libxml2
release announcements.
Mitigation
Upgrade to Nokogiri >= 1.14.3
.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against external libraries libxml2 >= 2.10.4
which will also address these
same issues.
Impact
No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.
The commits can be examined at:
- [CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45)
- [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e)
- schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7)
Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
Summary
Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.
libxml2 v2.12.7 addresses CVE-2024-34459:
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53
Impact
There is no impact to Nokogiri users because the issue is present only
in libxml2's xmllint
tool which Nokogiri does not provide or expose.
Timeline
- 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
- 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
- 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public
Out-of-bounds Write in zlib affects Nokogiri
Summary
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11
to 1.2.12, which addresses CVE-2018-25032.
That CVE is scored as CVSS 7.4 High
on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.4
, and only if the packaged version of zlib
is being used.
Please see this document
for a complete description of which platform gems vendor zlib
. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's zlib
release announcements.
Mitigation
Upgrade to Nokogiri >= v1.13.4
.
Impact
CVE-2018-25032 in zlib
- Severity: High
- Type: CWE-787 Out of bounds write
- Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Use-after-free in libxml2 via Nokogiri::XML::Reader
Summary
Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4
libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
JRuby users are not affected.
Severity
The Nokogiri maintainers have evaluated this as Moderate.
Impact
From the CVE description, this issue applies to the xmlTextReader
module (which underlies
Nokogiri::XML::Reader
):
When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Mitigation
Upgrade to Nokogiri ~> 1.15.6
or >= 1.16.2
.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.
XML Injection in Xerces Java affects Nokogiri
Summary
Nokogiri v1.13.4 updates the vendored xerces:xercesImpl
from 2.12.0 to
2.12.2, which addresses CVE-2022-23437.
That CVE is scored as CVSS 6.5 Medium
on the NVD record.
Please note that this advisory only applies to the JRuby implementation
of Nokogiri < 1.13.4
.
Mitigation
Upgrade to Nokogiri >= v1.13.4
.
Impact
CVE-2022-23437 in xerces-J
- Severity: Medium
- Type: CWE-91 XML Injection (aka Blind XPath Injection)
- Description: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
- See also: https://github.com/advisories/GHSA-h65f-jvqw-m9fj
171 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.16.5 | MIT | 2024-05-13 - 14:01 | 6 days | |
1.16.4 | MIT | 2 | 2024-04-10 - 18:17 | about 1 month |
1.16.3 | MIT | 2 | 2024-03-15 - 21:21 | 2 months |
1.16.2 | MIT | 2 | 2024-02-04 - 16:52 | 3 months |
1.16.1 | MIT | 4 | 2024-02-03 - 16:27 | 4 months |
1.16.0 | MIT | 4 | 2023-12-28 - 00:08 | 5 months |
1.16.0.rc1 | MIT | 3 | 2023-12-13 - 22:00 | 5 months |
1.15.6 | MIT | 2 | 2024-03-16 - 13:14 | 2 months |
1.15.5 | MIT | 3 | 2023-11-17 - 16:13 | 6 months |
1.15.4 | MIT | 3 | 2023-08-11 - 19:25 | 9 months |
1.15.3 | MIT | 3 | 2023-07-05 - 14:34 | 11 months |
1.15.2 | MIT | 3 | 2023-05-24 - 13:31 | 12 months |
1.15.1 | MIT | 3 | 2023-05-19 - 14:06 | about 1 year |
1.15.0 | MIT | 3 | 2023-05-15 - 19:57 | about 1 year |
1.14.5 | MIT | 4 | 2023-05-24 - 13:04 | 12 months |
1.14.4 | MIT | 4 | 2023-05-11 - 18:12 | about 1 year |
1.14.3 | MIT | 4 | 2023-04-11 - 17:00 | about 1 year |
1.14.2 | MIT | 5 | 2023-02-13 - 17:41 | over 1 year |
1.14.1 | MIT | 5 | 2023-01-30 - 19:40 | over 1 year |
1.14.0 | MIT | 5 | 2023-01-12 - 21:52 | over 1 year |
1.14.0.rc1 | MIT | 5 | 2022-12-29 - 15:47 | over 1 year |
1.13.10 | MIT | 5 | 2022-12-08 - 02:47 | over 1 year |
1.13.9 | MIT | 7 | 2022-10-18 - 15:48 | over 1 year |
1.13.8 | MIT | 8 | 2022-07-23 - 15:50 | almost 2 years |
1.13.7 | MIT | 6 | 2022-07-12 - 14:56 | almost 2 years |
1.13.6 | MIT | 6 | 2022-05-08 - 14:34 | about 2 years |
1.13.5 | MIT | 8 | 2022-05-04 - 20:41 | about 2 years |
1.13.4 | MIT | 9 | 2022-04-11 - 20:44 | about 2 years |
1.13.3 | MIT | 18 | 2022-02-22 - 04:52 | about 2 years |
1.13.2 | MIT | 18 | 2022-02-21 - 18:52 | about 2 years |
1.13.1 | MIT | 21 | 2022-01-13 - 16:04 | over 2 years |
1.13.0 | MIT | 21 | 2022-01-06 - 20:53 | over 2 years |
1.12.5 | MIT | 21 | 2021-09-27 - 19:03 | over 2 years |
1.12.4 | MIT | 23 | 2021-08-29 - 21:18 | over 2 years |
1.12.3 | MIT | 23 | 2021-08-10 - 19:32 | almost 3 years |
1.12.2 | MIT | 23 | 2021-08-04 - 15:03 | almost 3 years |
1.12.1 | MIT | 23 | 2021-08-03 - 15:11 | almost 3 years |
1.12.0 | MIT | 23 | 2021-08-02 - 17:34 | almost 3 years |
1.12.0.rc1 | MIT | 23 | 2021-07-09 - 20:00 | almost 3 years |
1.11.7 | MIT | 23 | 2021-06-03 - 00:31 | almost 3 years |
1.11.6 | MIT | 23 | 2021-05-26 - 13:16 | almost 3 years |
1.11.5 | MIT | 23 | 2021-05-20 - 03:08 | almost 3 years |
1.11.4 | MIT | 23 | 2021-05-14 - 23:30 | about 3 years |
1.11.3 | MIT | 30 | 2021-04-07 - 20:33 | about 3 years |
1.11.2 | MIT | 30 | 2021-03-11 - 15:56 | about 3 years |
1.11.1 | MIT | 30 | 2021-01-06 - 05:30 | over 3 years |
1.11.0 | MIT | 30 | 2021-01-04 - 04:20 | over 3 years |
1.11.0.rc4 | MIT | 30 | 2020-12-29 - 16:44 | over 3 years |
1.11.0.rc3 | MIT | 31 | 2020-09-08 - 13:26 | over 3 years |
1.11.0.rc2 | MIT | 31 | 2020-04-01 - 19:18 | about 4 years |
1.11.0.rc1 | MIT | 31 | 2020-02-03 - 13:54 | over 4 years |
1.10.10 | MIT | 32 | 2020-07-06 - 13:40 | almost 4 years |
1.10.9 | MIT | 32 | 2020-03-01 - 19:05 | about 4 years |
1.10.8 | MIT | 32 | 2020-02-10 - 19:44 | over 4 years |
1.10.7 | MIT | 34 | 2019-12-04 - 15:29 | over 4 years |
1.10.6 | MIT | 34 | 2019-12-04 - 00:44 | over 4 years |
1.10.5 | MIT | 34 | 2019-10-31 - 19:29 | over 4 years |
1.10.4 | MIT | 42 | 2019-08-11 - 19:25 | almost 5 years |
1.10.3 | MIT | 44 | 2019-04-22 - 17:10 | about 5 years |
1.10.2 | MIT | 46 | 2019-03-25 - 13:03 | about 5 years |
1.10.1 | MIT | 46 | 2019-01-13 - 06:30 | over 5 years |
1.10.0 | MIT | 46 | 2019-01-04 - 15:35 | over 5 years |
1.10.0.rc1 | MIT | 46 | 2019-01-03 - 15:05 | over 5 years |
1.9.1 | MIT | 46 | 2018-12-18 - 05:22 | over 5 years |
1.9.0 | MIT | 46 | 2018-12-17 - 15:21 | over 5 years |
1.9.0.rc1 | MIT | 46 | 2018-12-10 - 06:10 | over 5 years |
1.8.5 | MIT | 46 | 2018-10-05 - 01:14 | over 5 years |
1.8.4 | MIT | 48 | 2018-07-04 - 00:37 | almost 6 years |
1.8.3 | MIT | 48 | 2018-06-16 - 20:04 | almost 6 years |
1.8.2 | MIT | 50 | 2018-01-29 - 13:16 | over 6 years |
1.8.1 | MIT | 54 | 2017-09-19 - 16:12 | over 6 years |
1.8.0 | MIT | 58 | 2017-06-05 - 04:04 | almost 7 years |
1.7.2 | MIT | 58 | 2017-05-09 - 21:29 | about 7 years |
1.7.1 | MIT | 60 | 2017-03-20 - 03:39 | about 7 years |
1.7.0.1 | MIT | 62 | 2017-01-04 - 05:42 | over 7 years |
1.7.0 | MIT | 62 | 2016-12-27 - 03:49 | over 7 years |
1.6.8.1 | MIT | 62 | 2016-10-03 - 04:46 | over 7 years |
1.6.8 | MIT | 62 | 2016-06-07 - 00:04 | almost 8 years |
1.6.8.rc3 | MIT | 64 | 2016-02-17 - 06:33 | over 8 years |
1.6.8.rc2 | MIT | 64 | 2016-01-12 - 17:08 | over 8 years |
1.6.8.rc1 | MIT | 64 | 2015-12-17 - 07:28 | over 8 years |
1.6.7.2 | MIT | 64 | 2016-01-20 - 19:18 | over 8 years |
1.6.7.1 | MIT | 66 | 2015-12-17 - 05:08 | over 8 years |
1.6.7 | MIT | 68 | 2015-11-30 - 04:21 | over 8 years |
1.6.7.rc4 | MIT | 68 | 2015-11-22 - 22:56 | over 8 years |
1.6.7.rc3 | MIT | 69 | 2015-09-04 - 17:34 | over 8 years |
1.6.7.rc2 | MIT | 69 | 2015-08-31 - 13:51 | over 8 years |
1.6.6.4 | MIT | 68 | 2015-11-19 - 20:58 | over 8 years |
1.6.6.3 | MIT | 69 | 2015-11-17 - 00:02 | over 8 years |
1.6.6.2 | MIT | 69 | 2015-01-23 - 18:53 | over 9 years |
1.6.6.1 | MIT | 69 | 2015-01-22 - 18:42 | over 9 years |
1.6.5 | MIT | 69 | 2014-11-26 - 21:07 | over 9 years |
1.6.4.1 | MIT | 69 | 2014-11-07 - 03:03 | over 9 years |
1.6.4 | MIT | 69 | 2014-11-05 - 04:32 | over 9 years |
1.6.3.1 | MIT | 69 | 2014-07-22 - 01:35 | almost 10 years |
1.6.3 | MIT | 69 | 2014-07-20 - 18:57 | almost 10 years |
1.6.3.rc3 | MIT | 70 | 2014-06-21 - 20:31 | almost 10 years |
1.6.3.rc2 | MIT | 70 | 2014-06-17 - 17:04 | almost 10 years |
1.6.3.rc1 | MIT | 70 | 2014-05-22 - 19:23 | almost 10 years |
1.6.2.1 | MIT | 69 | 2014-05-14 - 01:21 | about 10 years |