Debian Security Advisory

DLA-3003-1 ruby-nokogiri -- LTS security update

Date Reported:
13 May 2022
Affected Packages:
ruby-nokogiri
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2022-24836.
More information:

It was discovered that there was a potential denial of service attack in ruby-nokogiri, a HTML, XML, SAX etc. parser written in/for the Ruby programming language. This was caused by the use of inefficient regular expressions that were susceptible to excessive backtracking.

  • CVE-2022-24836

    CVE-2022-24836: Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.

For Debian 9 Stretch, these problems have been fixed in version 1.6.8.1-1+deb9u2.

We recommend that you upgrade your ruby-nokogiri packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS