ruby3.1-rubygem-nokogiri-1.13.4-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11999-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby3.1-rubygem-nokogiri-1.13.4-1.1 on GA media These are all security issues fixed in the ruby3.1-rubygem-nokogiri-1.13.4-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11999 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-25032/ SUSE CVE CVE-2018-25032 page https://www.suse.com/security/cve/CVE-2022-23437/ SUSE CVE CVE-2022-23437 page https://www.suse.com/security/cve/CVE-2022-24836/ SUSE CVE CVE-2022-24836 page https://www.suse.com/security/cve/CVE-2022-24839/ SUSE CVE CVE-2022-24839 page openSUSE Tumbleweed ruby3.1-rubygem-nokogiri-1.13.4-1.1 ruby3.1-rubygem-nokogiri-1.13.4-1.1 as a component of openSUSE Tumbleweed zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. CVE-2018-25032 openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-25032.html CVE-2018-25032 https://bugzilla.suse.com/1197459 SUSE Bug 1197459 https://bugzilla.suse.com/1197893 SUSE Bug 1197893 https://bugzilla.suse.com/1198667 SUSE Bug 1198667 https://bugzilla.suse.com/1199104 SUSE Bug 1199104 https://bugzilla.suse.com/1200049 SUSE Bug 1200049 https://bugzilla.suse.com/1201732 SUSE Bug 1201732 https://bugzilla.suse.com/1202688 SUSE Bug 1202688 https://bugzilla.suse.com/1224427 SUSE Bug 1224427 There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. CVE-2022-23437 openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1 important 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23437.html CVE-2022-23437 https://bugzilla.suse.com/1195108 SUSE Bug 1195108 https://bugzilla.suse.com/1196394 SUSE Bug 1196394 Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. CVE-2022-24836 openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-24836.html CVE-2022-24836 https://bugzilla.suse.com/1198408 SUSE Bug 1198408 org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability. CVE-2022-24839 openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-24839.html CVE-2022-24839 https://bugzilla.suse.com/1198404 SUSE Bug 1198404