New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to nokogiri 1.7.2 #4

Merged

tlehman merged 1 commit into master from bump-nokogiri-to-1.7.2

May 22, 2017

Contributor

tlehman commented May 22, 2017 •

edited

Loading

Fixes the vulnerabilities mentioned below:

USN-3271-1 - UPSTREAM LIBXSLT VULNERABILITIES

CVE-2017-5029: The xsltAddTextString function in transform.c lacks a check for integer overflow during a size calculation, which allows a remote attacker to perform an out of bounds memory write via a crafted HTML page.

CVE-2016-1683: numbers.c in libxslt mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.

CVE-2016-1841: libxslt allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

Fixed versions: 1.7.2
Identifier: USN-3271-1
Solution: Upgrade to latest version.
Sources: sparklemotion/nokogiri#1634
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html


          Upgrade to nokogiri 1.7.2

c55c5bf

kroehre approved these changes

View reviewed changes

tlehman merged commit 10e4040 into master

tlehman deleted the bump-nokogiri-to-1.7.2 branch

May 22, 2017 22:33

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet