[SECURITY] [DLA 229-1] libnokogiri-ruby security update

2015-05-2718:03:10

lists.debian.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.7%

JSON

Package : libnokogiri-ruby
Version : 1.4.0-4+deb6u1
CVE ID : CVE-2012-6685

An XML eXternal Entity (XXE) flaw was found in Nokogiri, a Ruby gem for
parsing HTML, XML, and SAX. Using external XML entities, a remote attacker
could specify a URL in a specially crafted XML that, when parsed, would
cause a connection to that URL to be opened.

This update enables the "nonet" option by default (and provides new
methods to disable default options if needed).

–
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Attachment:
signature.asc
Description: Digital signature

OSVersionArchitecturePackageVersionFilename
Debian6alllibnokogiri-ruby< 1.4.0-4+deb6u1libnokogiri-ruby_1.4.0-4+deb6u1_all.deb
Debian6amd64libnokogiri-ruby1.9.1< 1.4.0-4+deb6u1libnokogiri-ruby1.9.1_1.4.0-4+deb6u1_amd64.deb
Debian6amd64libnokogiri-ruby1.8< 1.4.0-4+deb6u1libnokogiri-ruby1.8_1.4.0-4+deb6u1_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	all	libnokogiri-ruby	< 1.4.0-4+deb6u1	libnokogiri-ruby_1.4.0-4+deb6u1_all.deb
Debian	6	amd64	libnokogiri-ruby1.9.1	< 1.4.0-4+deb6u1	libnokogiri-ruby1.9.1_1.4.0-4+deb6u1_amd64.deb
Debian	6	amd64	libnokogiri-ruby1.8	< 1.4.0-4+deb6u1	libnokogiri-ruby1.8_1.4.0-4+deb6u1_amd64.deb