DebianDEBIAN:DLA-2678-1:4892C[SECURITY] [DLA 2678-1] ruby-nokogiri security update
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.5 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
53.1%
Debian LTS Advisory DLA-2678-1 [email protected]
https://www.debian.org/lts/security/ Markus Koschany
June 06, 2021 https://wiki.debian.org/LTS
Package : ruby-nokogiri
Version : 1.6.8.1-1+deb9u1
CVE ID : CVE-2020-26247
Debian Bug : 978967
An XXE vulnerability was found in Nokogiri, a Rubygem providing HTML, XML, SAX,
and Reader parsers with XPath and CSS selector support.
XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing
external resources to be accessed over the network, potentially enabling XXE or
SSRF attacks. The new default behavior is to treat all input as untrusted.
The upstream advisory provides further information how to mitigate the problem
or restore the old behavior again.
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
For Debian 9 stretch, this problem has been fixed in version
1.6.8.1-1+deb9u1.
We recommend that you upgrade your ruby-nokogiri packages.
For the detailed security status of ruby-nokogiri please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-nokogiri
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 10 | arm64 | ruby-nokogiri-dbgsym | < 1.10.0+dfsg1-2+deb10u1 | ruby-nokogiri-dbgsym_1.10.0+dfsg1-2+deb10u1_arm64.deb |
| Debian | 10 | i386 | ruby-nokogiri-dbgsym | < 1.10.0+dfsg1-2+deb10u1 | ruby-nokogiri-dbgsym_1.10.0+dfsg1-2+deb10u1_i386.deb |
| Debian | 9 | arm64 | ruby-nokogiri | < 1.6.8.1-1+deb9u1 | ruby-nokogiri_1.6.8.1-1+deb9u1_arm64.deb |
| Debian | 9 | armhf | ruby-nokogiri | < 1.6.8.1-1+deb9u1 | ruby-nokogiri_1.6.8.1-1+deb9u1_armhf.deb |
| Debian | 10 | i386 | ruby-nokogiri | < 1.10.0+dfsg1-2+deb10u1 | ruby-nokogiri_1.10.0+dfsg1-2+deb10u1_i386.deb |
| Debian | 10 | amd64 | ruby-nokogiri-dbgsym | < 1.10.0+dfsg1-2+deb10u1 | ruby-nokogiri-dbgsym_1.10.0+dfsg1-2+deb10u1_amd64.deb |
| Debian | 9 | i386 | ruby-nokogiri | < 1.6.8.1-1+deb9u1 | ruby-nokogiri_1.6.8.1-1+deb9u1_i386.deb |
| Debian | 10 | arm64 | ruby-nokogiri | < 1.10.0+dfsg1-2+deb10u1 | ruby-nokogiri_1.10.0+dfsg1-2+deb10u1_arm64.deb |
| Debian | 10 | all | ruby-nokogiri | < 1.10.0+dfsg1-2+deb10u1 | ruby-nokogiri_1.10.0+dfsg1-2+deb10u1_all.deb |
| Debian | 10 | armhf | ruby-nokogiri | < 1.10.0+dfsg1-2+deb10u1 | ruby-nokogiri_1.10.0+dfsg1-2+deb10u1_armhf.deb |
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.5 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
53.1%