HIGH
GHSA-xjqg-9jvg-fgx2
Nokogiri subject to DoS via libxml2 vulnerability
Details
The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 (as used in nokogiri before 1.6.7.1) does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2015-5312 [ADVISORY]
- https://bugzilla.redhat.com/show_bug.cgi?id=1276693 [WEB]
- https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e [WEB]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml [WEB]
- https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s [WEB]
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944172 [WEB]
- https://security.gentoo.org/glsa/201701-37 [WEB]
- https://support.apple.com/HT206166 [WEB]
- https://support.apple.com/HT206167 [WEB]
- https://support.apple.com/HT206168 [WEB]
- https://support.apple.com/HT206169 [WEB]
- http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html [WEB]
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html [WEB]
- http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html [WEB]
- http://marc.info/?l=bugtraq&m=145382616617563&w=2 [WEB]
- http://rhn.redhat.com/errata/RHSA-2015-2549.html [WEB]
- http://rhn.redhat.com/errata/RHSA-2015-2550.html [WEB]
- http://www.debian.org/security/2015/dsa-3430 [WEB]
- http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html [WEB]
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html [WEB]
- http://www.ubuntu.com/usn/USN-2834-1 [WEB]
- http://xmlsoft.org/news.html [WEB]