ruby4.0-rubygem-nokogiri-1.18.9-1.4 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10356-1 Final 1 1 2026-03-13T00:00:00Z current 2026-03-13T00:00:00Z 2026-03-13T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby4.0-rubygem-nokogiri-1.18.9-1.4 on GA media These are all security issues fixed in the ruby4.0-rubygem-nokogiri-1.18.9-1.4 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10356 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2013-2877/ SUSE CVE CVE-2013-2877 page https://www.suse.com/security/cve/CVE-2014-0191/ SUSE CVE CVE-2014-0191 page https://www.suse.com/security/cve/CVE-2015-1819/ SUSE CVE CVE-2015-1819 page https://www.suse.com/security/cve/CVE-2015-5312/ SUSE CVE CVE-2015-5312 page https://www.suse.com/security/cve/CVE-2015-7497/ SUSE CVE CVE-2015-7497 page https://www.suse.com/security/cve/CVE-2015-7498/ SUSE CVE CVE-2015-7498 page https://www.suse.com/security/cve/CVE-2015-7499/ SUSE CVE CVE-2015-7499 page https://www.suse.com/security/cve/CVE-2015-7500/ SUSE CVE CVE-2015-7500 page https://www.suse.com/security/cve/CVE-2015-7941/ SUSE CVE CVE-2015-7941 page https://www.suse.com/security/cve/CVE-2015-7942/ SUSE CVE CVE-2015-7942 page https://www.suse.com/security/cve/CVE-2015-7995/ SUSE CVE CVE-2015-7995 page https://www.suse.com/security/cve/CVE-2015-8035/ SUSE CVE CVE-2015-8035 page https://www.suse.com/security/cve/CVE-2015-8241/ SUSE CVE CVE-2015-8241 page https://www.suse.com/security/cve/CVE-2015-8242/ SUSE CVE CVE-2015-8242 page https://www.suse.com/security/cve/CVE-2015-8317/ SUSE CVE CVE-2015-8317 page https://www.suse.com/security/cve/CVE-2016-4658/ SUSE CVE CVE-2016-4658 page https://www.suse.com/security/cve/CVE-2016-4738/ SUSE CVE CVE-2016-4738 page https://www.suse.com/security/cve/CVE-2016-5131/ SUSE CVE CVE-2016-5131 page https://www.suse.com/security/cve/CVE-2017-15412/ SUSE CVE CVE-2017-15412 page https://www.suse.com/security/cve/CVE-2017-5029/ SUSE CVE CVE-2017-5029 page https://www.suse.com/security/cve/CVE-2018-14404/ SUSE CVE CVE-2018-14404 page https://www.suse.com/security/cve/CVE-2018-25032/ SUSE CVE CVE-2018-25032 page https://www.suse.com/security/cve/CVE-2018-8048/ SUSE CVE CVE-2018-8048 page https://www.suse.com/security/cve/CVE-2019-11068/ SUSE CVE CVE-2019-11068 page https://www.suse.com/security/cve/CVE-2019-20388/ SUSE CVE CVE-2019-20388 page https://www.suse.com/security/cve/CVE-2019-5477/ SUSE CVE CVE-2019-5477 page https://www.suse.com/security/cve/CVE-2020-24977/ SUSE CVE CVE-2020-24977 page https://www.suse.com/security/cve/CVE-2020-7595/ SUSE CVE CVE-2020-7595 page https://www.suse.com/security/cve/CVE-2021-30560/ SUSE CVE CVE-2021-30560 page https://www.suse.com/security/cve/CVE-2021-3516/ SUSE CVE CVE-2021-3516 page https://www.suse.com/security/cve/CVE-2021-3517/ SUSE CVE CVE-2021-3517 page https://www.suse.com/security/cve/CVE-2021-3518/ SUSE CVE CVE-2021-3518 page https://www.suse.com/security/cve/CVE-2021-3537/ SUSE CVE CVE-2021-3537 page https://www.suse.com/security/cve/CVE-2021-3541/ SUSE CVE CVE-2021-3541 page https://www.suse.com/security/cve/CVE-2021-41098/ SUSE CVE CVE-2021-41098 page https://www.suse.com/security/cve/CVE-2022-23308/ SUSE CVE CVE-2022-23308 page https://www.suse.com/security/cve/CVE-2022-23437/ SUSE CVE CVE-2022-23437 page https://www.suse.com/security/cve/CVE-2022-23476/ SUSE CVE CVE-2022-23476 page https://www.suse.com/security/cve/CVE-2022-24836/ SUSE CVE CVE-2022-24836 page https://www.suse.com/security/cve/CVE-2022-24839/ SUSE CVE CVE-2022-24839 page https://www.suse.com/security/cve/CVE-2022-29181/ SUSE CVE CVE-2022-29181 page https://www.suse.com/security/cve/CVE-2022-29824/ SUSE CVE CVE-2022-29824 page https://www.suse.com/security/cve/CVE-2022-34169/ SUSE CVE CVE-2022-34169 page https://www.suse.com/security/cve/CVE-2023-29469/ SUSE CVE CVE-2023-29469 page openSUSE Tumbleweed ruby4.0-rubygem-nokogiri-1.18.9-1.4 ruby4.0-rubygem-nokogiri-1.18.9-1.4 as a component of openSUSE Tumbleweed parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state. CVE-2013-2877 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-2877.html CVE-2013-2877 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/828893 SUSE Bug 828893 https://bugzilla.suse.com/829077 SUSE Bug 829077 https://bugzilla.suse.com/854869 SUSE Bug 854869 https://bugzilla.suse.com/877506 SUSE Bug 877506 The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document. CVE-2014-0191 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-0191.html CVE-2014-0191 https://bugzilla.suse.com/1014873 SUSE Bug 1014873 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/876652 SUSE Bug 876652 https://bugzilla.suse.com/877506 SUSE Bug 877506 https://bugzilla.suse.com/996079 SUSE Bug 996079 The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack. CVE-2015-1819 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-1819.html CVE-2015-1819 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/928193 SUSE Bug 928193 https://bugzilla.suse.com/969769 SUSE Bug 969769 The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660. CVE-2015-5312 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5312.html CVE-2015-5312 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/957105 SUSE Bug 957105 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors. CVE-2015-7497 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7497.html CVE-2015-7497 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/957106 SUSE Bug 957106 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure. CVE-2015-7498 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7498.html CVE-2015-7498 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/957107 SUSE Bug 957107 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. CVE-2015-7499 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7499.html CVE-2015-7499 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/957109 SUSE Bug 957109 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags. CVE-2015-7500 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7500.html CVE-2015-7500 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/957110 SUSE Bug 957110 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities. CVE-2015-7941 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7941.html CVE-2015-7941 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/951734 SUSE Bug 951734 https://bugzilla.suse.com/951735 SUSE Bug 951735 https://bugzilla.suse.com/969769 SUSE Bug 969769 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941. CVE-2015-7942 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7942.html CVE-2015-7942 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/951735 SUSE Bug 951735 https://bugzilla.suse.com/969769 SUSE Bug 969769 The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to a "type confusion" issue. CVE-2015-7995 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7995.html CVE-2015-7995 https://bugzilla.suse.com/1123130 SUSE Bug 1123130 https://bugzilla.suse.com/952474 SUSE Bug 952474 The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data. CVE-2015-8035 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8035.html CVE-2015-8035 https://bugzilla.suse.com/1088279 SUSE Bug 1088279 https://bugzilla.suse.com/1105166 SUSE Bug 1105166 https://bugzilla.suse.com/954429 SUSE Bug 954429 The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8241 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8241.html CVE-2015-8241 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/956018 SUSE Bug 956018 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8242 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8242.html CVE-2015-8242 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/956021 SUSE Bug 956021 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read. CVE-2015-8317 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8317.html CVE-2015-8317 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/956260 SUSE Bug 956260 https://bugzilla.suse.com/959469 SUSE Bug 959469 https://bugzilla.suse.com/969769 SUSE Bug 969769 xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document. CVE-2016-4658 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4658.html CVE-2016-4658 https://bugzilla.suse.com/1005544 SUSE Bug 1005544 https://bugzilla.suse.com/1014873 SUSE Bug 1014873 https://bugzilla.suse.com/1069433 SUSE Bug 1069433 https://bugzilla.suse.com/1078813 SUSE Bug 1078813 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. CVE-2016-4738 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4738.html CVE-2016-4738 https://bugzilla.suse.com/1005591 SUSE Bug 1005591 https://bugzilla.suse.com/1123130 SUSE Bug 1123130 Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. CVE-2016-5131 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5131.html CVE-2016-5131 https://bugzilla.suse.com/1014873 SUSE Bug 1014873 https://bugzilla.suse.com/1069433 SUSE Bug 1069433 https://bugzilla.suse.com/1078813 SUSE Bug 1078813 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 https://bugzilla.suse.com/989901 SUSE Bug 989901 Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2017-15412 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15412.html CVE-2017-15412 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 https://bugzilla.suse.com/1077993 SUSE Bug 1077993 https://bugzilla.suse.com/1123129 SUSE Bug 1123129 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. CVE-2017-5029 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5029.html CVE-2017-5029 https://bugzilla.suse.com/1028848 SUSE Bug 1028848 https://bugzilla.suse.com/1028875 SUSE Bug 1028875 https://bugzilla.suse.com/1035905 SUSE Bug 1035905 https://bugzilla.suse.com/1123130 SUSE Bug 1123130 A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. CVE-2018-14404 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14404.html CVE-2018-14404 https://bugzilla.suse.com/1102046 SUSE Bug 1102046 https://bugzilla.suse.com/1148896 SUSE Bug 1148896 zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. CVE-2018-25032 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-25032.html CVE-2018-25032 https://bugzilla.suse.com/1197459 SUSE Bug 1197459 https://bugzilla.suse.com/1197893 SUSE Bug 1197893 https://bugzilla.suse.com/1198667 SUSE Bug 1198667 https://bugzilla.suse.com/1199104 SUSE Bug 1199104 https://bugzilla.suse.com/1200049 SUSE Bug 1200049 https://bugzilla.suse.com/1201732 SUSE Bug 1201732 https://bugzilla.suse.com/1202688 SUSE Bug 1202688 https://bugzilla.suse.com/1224427 SUSE Bug 1224427 In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment. CVE-2018-8048 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-8048.html CVE-2018-8048 https://bugzilla.suse.com/1085967 SUSE Bug 1085967 https://bugzilla.suse.com/1086598 SUSE Bug 1086598 libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. CVE-2019-11068 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11068.html CVE-2019-11068 https://bugzilla.suse.com/1132160 SUSE Bug 1132160 https://bugzilla.suse.com/1154212 SUSE Bug 1154212 xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. CVE-2019-20388 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-20388.html CVE-2019-20388 https://bugzilla.suse.com/1161521 SUSE Bug 1161521 https://bugzilla.suse.com/1191860 SUSE Bug 1191860 A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4. CVE-2019-5477 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-5477.html CVE-2019-5477 https://bugzilla.suse.com/1146578 SUSE Bug 1146578 GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e. CVE-2020-24977 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-24977.html CVE-2020-24977 https://bugzilla.suse.com/1176179 SUSE Bug 1176179 https://bugzilla.suse.com/1191860 SUSE Bug 1191860 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. CVE-2020-7595 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-7595.html CVE-2020-7595 https://bugzilla.suse.com/1161517 SUSE Bug 1161517 https://bugzilla.suse.com/1191860 SUSE Bug 1191860 Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30560 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-30560.html CVE-2021-30560 https://bugzilla.suse.com/1188373 SUSE Bug 1188373 https://bugzilla.suse.com/1208574 SUSE Bug 1208574 https://bugzilla.suse.com/1211500 SUSE Bug 1211500 https://bugzilla.suse.com/1211501 SUSE Bug 1211501 https://bugzilla.suse.com/1211544 SUSE Bug 1211544 There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability. CVE-2021-3516 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3516.html CVE-2021-3516 https://bugzilla.suse.com/1185409 SUSE Bug 1185409 https://bugzilla.suse.com/1191860 SUSE Bug 1191860 There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. CVE-2021-3517 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3517.html CVE-2021-3517 https://bugzilla.suse.com/1185410 SUSE Bug 1185410 https://bugzilla.suse.com/1191860 SUSE Bug 1191860 https://bugzilla.suse.com/1194438 SUSE Bug 1194438 https://bugzilla.suse.com/1196383 SUSE Bug 1196383 There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. CVE-2021-3518 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3518.html CVE-2021-3518 https://bugzilla.suse.com/1185408 SUSE Bug 1185408 https://bugzilla.suse.com/1191860 SUSE Bug 1191860 A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability. CVE-2021-3537 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3537.html CVE-2021-3537 https://bugzilla.suse.com/1185698 SUSE Bug 1185698 A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. CVE-2021-3541 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3541.html CVE-2021-3541 https://bugzilla.suse.com/1186015 SUSE Bug 1186015 Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected. CVE-2021-41098 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41098.html CVE-2021-41098 https://bugzilla.suse.com/1191029 SUSE Bug 1191029 valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. CVE-2022-23308 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23308.html CVE-2022-23308 https://bugzilla.suse.com/1196490 SUSE Bug 1196490 https://bugzilla.suse.com/1199098 SUSE Bug 1199098 https://bugzilla.suse.com/1202688 SUSE Bug 1202688 There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. CVE-2022-23437 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23437.html CVE-2022-23437 https://bugzilla.suse.com/1195108 SUSE Bug 1195108 https://bugzilla.suse.com/1196394 SUSE Bug 1196394 Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected. CVE-2022-23476 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23476.html CVE-2022-23476 https://bugzilla.suse.com/1206227 SUSE Bug 1206227 Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. CVE-2022-24836 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-24836.html CVE-2022-24836 https://bugzilla.suse.com/1198408 SUSE Bug 1198408 org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability. CVE-2022-24839 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-24839.html CVE-2022-24839 https://bugzilla.suse.com/1198404 SUSE Bug 1198404 Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent. CVE-2022-29181 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-29181.html CVE-2022-29181 https://bugzilla.suse.com/1199782 SUSE Bug 1199782 In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. CVE-2022-29824 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-29824.html CVE-2022-29824 https://bugzilla.suse.com/1199132 SUSE Bug 1199132 https://bugzilla.suse.com/1202878 SUSE Bug 1202878 https://bugzilla.suse.com/1204121 SUSE Bug 1204121 https://bugzilla.suse.com/1204131 SUSE Bug 1204131 https://bugzilla.suse.com/1205069 SUSE Bug 1205069 The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. CVE-2022-34169 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-34169.html CVE-2022-34169 https://bugzilla.suse.com/1201684 SUSE Bug 1201684 https://bugzilla.suse.com/1202427 SUSE Bug 1202427 https://bugzilla.suse.com/1207688 SUSE Bug 1207688 An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). CVE-2023-29469 openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-29469.html CVE-2023-29469 https://bugzilla.suse.com/1210412 SUSE Bug 1210412