Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-229-1 libnokogiri-ruby

Debian Security Advisory

DLA-229-1 libnokogiri-ruby -- LTS security update

Date Reported:

27 May 2015

Affected Packages:

libnokogiri-ruby

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2012-6685.

More information:

An XML eXternal Entity (XXE) flaw was found in Nokogiri, a Ruby gem for parsing HTML, XML, and SAX. Using external XML entities, a remote attacker could specify a URL in a specially crafted XML that, when parsed, would cause a connection to that URL to be opened.

This update enables the nonet option by default (and provides new methods to disable default options if needed).