Mageia alert MGASA-2021-0063 (ruby-nokogiri)

From:
             
 
Mageia Updates <buildsystem-daemon@mageia.org>
To:
             
 
updates-announce@ml.mageia.org
Subject:
             
 
[updates-announce] MGASA-2021-0063: Updated ruby-nokogiri packages fix security vulnerabilities
Date:
             
 
Thu, 04 Feb 2021 14:41:27 +0100
Message-ID:
             
 
<20210204134127.310D89F736@duvel.mageia.org>
Archive-link:
             
 
Article
MGASA-2021-0063 - Updated ruby-nokogiri packages fix security vulnerabilities

Publication date: 04 Feb 2021
URL: https://advisories.mageia.org/MGASA-2021-0063.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-5477,
     CVE-2020-26247

Description:
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
commands to be executed in a subprocess via Ruby's `Kernel.open` method.
Processes are vulnerable only if the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as
the filename (CVE-2019-5477).

In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML
Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing
external resources to be accessed over the network, potentially enabling XXE or
SSRF attacks. This behavior is counter to the security policy followed by
Nokogiri maintainers, which is to treat all input as untrusted by default
whenever possible (CVE-2020-26247).

The ruby-nokogiri package has been updated to version 1.10.10 to fix
CVE-2019-5477 and patched to fix CVE-2020-26247.

References:
- https://bugs.mageia.org/show_bug.cgi?id=28141
- https://github.com/sparklemotion/nokogiri/releases/
- https://lists.suse.com/pipermail/sle-security-updates/202...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2...

SRPMS:
- 7/core/ruby-nokogiri-1.10.10-1.mga7