ELA-438-1 ruby-nokogiri security update

XXE vulnerability

2021-06-01
Packageruby-nokogiri
Version1.6.3.1+ds-1+deb8u2
Related CVEs CVE-2020-26247

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. An XXE vulnerability was found in Nokogiri. XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. The new default behavior is to treat all input as untrusted. See also upstream’s security advisory for more information how to mitigate the problem or to restore the old behavior again.

For Debian 8 jessie, these problems have been fixed in version 1.6.3.1+ds-1+deb8u2.

We recommend that you upgrade your ruby-nokogiri packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/