Updated ruby-nokogiri packages fix security vulnerability
Publication date: 22 May 2022Modification date: 22 May 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-29181
Description
Nokogiri did not type-check all inputs into the XML and HTML4 SAX parsers,
allowing specially crafted untrusted inputs to cause illegal memory access
errors (segfault) or reads from unrelated memory. Version 1.13.6 contains
a patch for this issue. As a workaround, ensure the untrusted input is a
'String' by calling '#to_s' or equivalent.
References
- https://bugs.mageia.org/show_bug.cgi?id=30451
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4J4GGCK2IK6R7HJKHPGPCCZRBXEWHBVC/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181
SRPMS
8/core
- ruby-nokogiri-1.11.7-1.1.mga8