Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1046664 - (CVE-2013-6461) CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities
CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131215,repor...
: Security
Depends On: 1046665
Blocks: 1046667
  Show dependency treegraph
 
Reported: 2013-12-26 08:14 EST by Ratul Gupta
Modified: 2016-04-26 22:34 EDT (History)
43 users (show)

See Also:
Fixed In Version: rubygem-nokogiri 1.5.11, rubygem-nokogiri 1.6.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-23 14:23:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Ratul Gupta 2013-12-26 08:14:53 EST 
Nokogiri gem for Ruby was found to be affected by a DoS vulnerability, where an error when parsing XML entities and can be exploited to exhaust memory and cause a crash via a specially crafted XML document including external entity references.

This issue is said to be affecting the versions 1.5.x and 1.6.x, 1.4.x and earlier versions are reported to be not affected by this vulnerability.

This issue is said to be fixed in versions 1.5.11 and 1.6.1.

References:
https://bugs.gentoo.org/show_bug.cgi?id=495218

Original Advisory:
https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
Comment 1 Ratul Gupta 2013-12-26 08:19:17 EST 
Created rubygem-nokogiri tracking bugs for this issue:

Affects: fedora-all [bug 1046665]
Comment 2 Ratul Gupta 2013-12-27 00:18:36 EST 
CVE Request:
http://seclists.org/oss-sec/2013/q4/551
Comment 3 Mamoru TASAKA 2013-12-27 05:20:51 EST 
Setting needinfo also here. See bug 1046663 comment 2
Comment 5 Vincent Danen 2014-01-23 14:23:51 EST 
This issue does not affect anything we ship.  While the nokogiri rubygem is included in Fedora and EPEL, there is no JRuby implementation provided on either platform.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.