Mageia 2022-0200: ruby-nokogiri security update
Summary
Nokogiri did not type-check all inputs into the XML and HTML4 SAX parsers,
allowing specially crafted untrusted inputs to cause illegal memory access
errors (segfault) or reads from unrelated memory. Version 1.13.6 contains
a patch for this issue. As a workaround, ensure the untrusted input is a
'String' by calling '#to_s' or equivalent.
References
- https://bugs.mageia.org/show_bug.cgi?id=30451
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4J4GGCK2IK6R7HJKHPGPCCZRBXEWHBVC/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181
Resolution
MGASA-2022-0200 - Updated ruby-nokogiri packages fix security vulnerability
SRPMS
- 8/core/ruby-nokogiri-1.11.7-1.1.mga8