Debian Security Advisory
DLA-3003-1 ruby-nokogiri -- LTS security update
- Date Reported:
- 13 May 2022
- Affected Packages:
- ruby-nokogiri
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2022-24836.
- More information:
-
It was discovered that there was a potential denial of service attack in ruby-nokogiri, a HTML, XML, SAX etc. parser written in/for the Ruby programming language. This was caused by the use of inefficient regular expressions that were susceptible to excessive backtracking.
- CVE-2022-24836
CVE-2022-24836: Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.
For Debian 9
Stretch
, these problems have been fixed in version 1.6.8.1-1+deb9u2.We recommend that you upgrade your ruby-nokogiri packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
- CVE-2022-24836