Nokogiri gem for Ruby was found to be affected by a DoS vulnerability, where an error when parsing XML documents can be exploited by an attacker to cause an infinite loop and subsequently exhaust memory and cause a crash via a specially crafted XML document. This issue is said to be affecting the versions 1.5.x and 1.6.x, 1.4.x and earlier versions are reported to be not affected by this vulnerability. This issue is said to be fixed in versions 1.5.11 and 1.6.1. References: https://bugs.gentoo.org/show_bug.cgi?id=495218 Original Advisory: https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
Created rubygem-nokogiri tracking bugs for this issue: Affects: fedora-all [bug 1046665]
Would you confirm if this really affects fedora? Upstream info says JRuby extension is affected, patches are for .java files, however fedora (at least fedora's rubygem-nokogiri srpm) does not ship nokogiri JRuby extension. Java files are included in http://rubygems.org/downloads/nokogiri-1.5.11-java.gem or so, however fedora srpm does not use this, and uses http://rubygems.org/downloads/nokogiri-1.5.9.gem or so.
CVE Request: http://seclists.org/oss-sec/2013/q4/551
Again setting needinfo.
This issue does not affect anything we ship. While the nokogiri rubygem is included in Fedora and EPEL, there is no JRuby implementation provided on either platform.