HIGH 7.5

GHSA-7hp2-xwpj-95jq

Denial of service or RCE from libxml2 and libxslt

Details

Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / nokogiri

Introduced in: 1.6.0 Fixed in: 1.6.8

Fix bundle update nokogiri

References

https://nvd.nist.gov/vuln/detail/CVE-2015-8806 [ADVISORY]
https://github.com/sparklemotion/nokogiri/issues/1473 [WEB]
https://bugzilla.gnome.org/show_bug.cgi?id=749115 [WEB]
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-8806.yml [WEB]
https://github.com/sparklemotion/nokogiri [PACKAGE]
https://security.gentoo.org/glsa/201701-37 [WEB]
https://web.archive.org/web/20160928171015/http://www.securityfocus.com/bid/82071 [WEB]
https://www.debian.org/security/2016/dsa-3593 [WEB]
http://www.openwall.com/lists/oss-security/2016/02/03/5 [WEB]
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html [WEB]
http://www.ubuntu.com/usn/USN-2994-1 [WEB]