Nokogiri gem for Ruby was found to be affected by a DoS vulnerability, where an error when parsing XML entities and can be exploited to exhaust memory and cause a crash via a specially crafted XML document including external entity references. This issue is said to be affecting the versions 1.5.x and 1.6.x, 1.4.x and earlier versions are reported to be not affected by this vulnerability. This issue is said to be fixed in versions 1.5.11 and 1.6.1. References: https://bugs.gentoo.org/show_bug.cgi?id=495218 Original Advisory: https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
Created rubygem-nokogiri tracking bugs for this issue: Affects: fedora-all [bug 1046665]
CVE Request: http://seclists.org/oss-sec/2013/q4/551
Setting needinfo also here. See bug 1046663 comment 2
This issue does not affect anything we ship. While the nokogiri rubygem is included in Fedora and EPEL, there is no JRuby implementation provided on either platform.