exploitDog

SUSE-SU-2021:0251-1

Опубликовано: 01 фев. 2021

Источник: suse-cvrf

Описание

Security update for rubygem-nokogiri

This update for rubygem-nokogiri fixes the following issues:

rubygem-nokogiri was updated to 1.8.5 (bsc#1156722).

Security issues fixed:

CVE-2019-5477: Fixed a command injection vulnerability (bsc#1146578).
CVE-2020-26247: Fixed an XXE vulnerability in Nokogiri::XML::Schema (bsc#1180507).

Список пакетов

Image SLES15-SAP-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-Azure-BYOS

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-Azure-LI-BYOS-Production

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-Azure-VLI-BYOS-Production

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-EC2-HVM-BYOS

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-GCE-BYOS

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-OCI-BYOS

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP1-SAP-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP1-SAP-Azure-BYOS

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP1-SAP-Azure-LI-BYOS-Production

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP1-SAP-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP1-SAP-EC2-HVM-BYOS

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP1-SAP-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP1-SAP-GCE-BYOS

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP1-SAP-OCI-BYOS

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP2-SAP-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP2-SAP-BYOS-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP2-SAP-BYOS-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP2-SAP-BYOS-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP2-SAP-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP2-SAP-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-BYOS-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-BYOS-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-BYOS-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-HPC-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-HPC-BYOS-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-HPC-BYOS-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-HPC-BYOS-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-SAP-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-SAP-Azure-LI-BYOS-Production

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-SAP-BYOS-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-SAP-BYOS-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-SAP-BYOS-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-SAP-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-SAP-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-SAPCAL-Azure

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-SAPCAL-EC2-HVM

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SP3-SAPCAL-GCE

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

SUSE Linux Enterprise High Availability Extension 15

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

SUSE Linux Enterprise High Availability Extension 15 SP1

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

SUSE Linux Enterprise High Availability Extension 15 SP2

ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Ссылки

https://www.suse.com/support/update/announcement/2021/suse-su-20210251-1/
Link for SUSE-SU-2021:0251-1
https://lists.suse.com/pipermail/sle-security-updates/2021-February/008258.html
E-Mail link for SUSE-SU-2021:0251-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1146578
SUSE Bug 1146578
https://bugzilla.suse.com/1156722
SUSE Bug 1156722
https://bugzilla.suse.com/1180507
SUSE Bug 1180507
https://www.suse.com/security/cve/CVE-2019-5477/
SUSE CVE CVE-2019-5477 page
https://www.suse.com/security/cve/CVE-2020-26247/
SUSE CVE CVE-2020-26247 page

Описание

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Затронутые продукты

Image SLES15-SAP-Azure-BYOS:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-Azure-LI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-Azure-VLI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2019-5477.html
CVE-2019-5477
https://bugzilla.suse.com/1146578
SUSE Bug 1146578

Описание

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

Затронутые продукты

Image SLES15-SAP-Azure-BYOS:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-Azure-LI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-Azure-VLI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Image SLES15-SAP-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2020-26247.html
CVE-2020-26247
https://bugzilla.suse.com/1180507
SUSE Bug 1180507