ruby3.2-rubygem-nokogiri-1.15.4-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13440 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby3.2-rubygem-nokogiri-1.15.4-1.1 on GA media These are all security issues fixed in the ruby3.2-rubygem-nokogiri-1.15.4-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13440 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13440 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-23476/ SUSE CVE CVE-2022-23476 page https://www.suse.com/security/cve/CVE-2022-34169/ SUSE CVE CVE-2022-34169 page https://www.suse.com/security/cve/CVE-2023-29469/ SUSE CVE CVE-2023-29469 page openSUSE Tumbleweed ruby3.2-rubygem-nokogiri-1.15.4-1.1 ruby3.2-rubygem-nokogiri-1.15.4-1.1 as a component of openSUSE Tumbleweed Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected. CVE-2022-23476 openSUSE Tumbleweed:ruby3.2-rubygem-nokogiri-1.15.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23476.html CVE-2022-23476 https://bugzilla.suse.com/1206227 SUSE Bug 1206227 The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. CVE-2022-34169 openSUSE Tumbleweed:ruby3.2-rubygem-nokogiri-1.15.4-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-34169.html CVE-2022-34169 https://bugzilla.suse.com/1201684 SUSE Bug 1201684 https://bugzilla.suse.com/1202427 SUSE Bug 1202427 https://bugzilla.suse.com/1207688 SUSE Bug 1207688 An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). CVE-2023-29469 openSUSE Tumbleweed:ruby3.2-rubygem-nokogiri-1.15.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-29469.html CVE-2023-29469 https://bugzilla.suse.com/1210412 SUSE Bug 1210412