Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes the vulnerabilities mentioned below:
USN-3271-1 - UPSTREAM LIBXSLT VULNERABILITIES
CVE-2017-5029: The xsltAddTextString function in transform.c lacks a check for integer overflow during a size calculation, which allows a remote attacker to perform an out of bounds memory write via a crafted HTML page.
CVE-2016-1683: numbers.c in libxslt mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.
CVE-2016-1841: libxslt allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
Fixed versions: 1.7.2
Identifier: USN-3271-1
Solution: Upgrade to latest version.
Sources: sparklemotion/nokogiri#1634
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html