ELA-438-1 ruby-nokogiri security update
Package ruby-nokogiri
ELA-438-1 ruby-nokogiri security update
Version 1.6.3.1+ds-1+deb8u2
Related CVEs CVE-2020-26247
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. An XXE vulnerability was found in Nokogiri. XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. The new default behavior is to treat all input as untrusted. See also upstream’s security advisory for more information how to mitigate the problem or to restore the old behavior again.
For Debian 8 jessie, these problems have been fixed in version 1.6.3.1+ds-1+deb8u2.
We recommend that you upgrade your ruby-nokogiri packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
A ruby-nokogiri security update has been released for Debian GNU/Linux 8 Extended LTS to address a XXE vulnerability.