DLA 2678-1: ruby-nokogiri security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-2678-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 06, 2021 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : ruby-nokogiri
Version : 1.6.8.1-1+deb9u1
CVE ID : CVE-2020-26247
Debian Bug : 978967
An XXE vulnerability was found in Nokogiri, a Rubygem providing HTML, XML, SAX,
and Reader parsers with XPath and CSS selector support.
XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing
external resources to be accessed over the network, potentially enabling XXE or
SSRF attacks. The new default behavior is to treat all input as untrusted.
The upstream advisory provides further information how to mitigate the problem
or restore the old behavior again.
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
For Debian 9 stretch, this problem has been fixed in version
1.6.8.1-1+deb9u1.
We recommend that you upgrade your ruby-nokogiri packages.
For the detailed security status of ruby-nokogiri please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-nokogiri
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
A ruby-nokogiri security update has been released for Debian GNU/Linux 9 LTS to address an XXE vulnerability.