Bug 877506

Summary: VUL-0: rubygem-nokogiri: CVE-2013-2877 and CVE-2014-0191 backport of fixes
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Jordi Massaguer <jmassaguerpla>
Status: VERIFIED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mrueckert, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2014-0191:7.1:(AV:N/AC:M/Au:N/C:N/I:N/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2014-05-13 14:10:02 UTC 
Via ruby-security list:

nokogiri version 1.6.2 has been released.

A set of security and bugfix patches have been backported from the libxml2
and libxslt repositories onto the versions of 2.8.0/1.1.28 packaged with
Nokogiri, including these notable security fixes:

*
https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
* CVE-2013-2877
https://git.gnome.org/browse/libxml2/commit/?id=e50ba8164eee06461c73cd8abb9b46aa0be81869
* CVE-2014-0191
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df

It is recommended that you upgrade from 1.6.x to this version as soon as
possible.
Comment 1 Marcus Rückert 2014-05-13 15:01:50 UTC 
This is imho a noop for us. we are not using the intree libxml copy. the fixes mentioned there only apply to the intree copy.
Comment 2 Swamp Workflow Management 2014-05-13 22:00:26 UTC 
bugbot adjusting priority