ruby3.1-rubygem-nokogiri-1.13.6-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12085 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby3.1-rubygem-nokogiri-1.13.6-1.1 on GA media These are all security issues fixed in the ruby3.1-rubygem-nokogiri-1.13.6-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12085 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12085 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-29181/ SUSE CVE CVE-2022-29181 page https://www.suse.com/security/cve/CVE-2022-29824/ SUSE CVE CVE-2022-29824 page openSUSE Tumbleweed ruby3.1-rubygem-nokogiri-1.13.6-1.1 ruby3.1-rubygem-nokogiri-1.13.6-1.1 as a component of openSUSE Tumbleweed Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent. CVE-2022-29181 openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-29181.html CVE-2022-29181 https://bugzilla.suse.com/1199782 SUSE Bug 1199782 In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. CVE-2022-29824 openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.6-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-29824.html CVE-2022-29824 https://bugzilla.suse.com/1199132 SUSE Bug 1199132 https://bugzilla.suse.com/1202878 SUSE Bug 1202878 https://bugzilla.suse.com/1204121 SUSE Bug 1204121 https://bugzilla.suse.com/1204131 SUSE Bug 1204131 https://bugzilla.suse.com/1205069 SUSE Bug 1205069