Security update for rubygem-nokogiri SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:4015-1 Final 1 1 2022-11-16T13:51:54Z current 2022-11-16T13:51:54Z 2022-11-16T13:51:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-nokogiri This update for rubygem-nokogiri fixes the following issues: - CVE-2022-24836: Fixes possibility to DoS because of inefficient RE in HTML encoding. (bsc#1198408) - CVE-2022-29181: Fixes Improper Handling of Unexpected Data Typesi. (bsc#1199782) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP3-BYOS-Azure-2022-4015,Image SLES15-SP3-BYOS-EC2-HVM-2022-4015,Image SLES15-SP3-BYOS-GCE-2022-4015,Image SLES15-SP3-HPC-BYOS-Azure-2022-4015,Image SLES15-SP3-HPC-BYOS-EC2-HVM-2022-4015,Image SLES15-SP3-HPC-BYOS-GCE-2022-4015,Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure-2022-4015,Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM-2022-4015,Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE-2022-4015,Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure-2022-4015,Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM-2022-4015,Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE-2022-4015,Image SLES15-SP3-SAP-Azure-LI-BYOS-Production-2022-4015,Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production-2022-4015,Image SLES15-SP3-SAP-BYOS-Azure-2022-4015,Image SLES15-SP3-SAP-BYOS-EC2-HVM-2022-4015,Image SLES15-SP3-SAP-BYOS-GCE-2022-4015,Image SLES15-SP3-SAPCAL-Azure-2022-4015,Image SLES15-SP3-SAPCAL-EC2-HVM-2022-4015,Image SLES15-SP3-SAPCAL-GCE-2022-4015,SUSE-2022-4015,SUSE-SLE-Module-Basesystem-15-SP3-2022-4015,SUSE-SLE-Product-HA-15-2022-4015,SUSE-SLE-Product-HA-15-SP1-2022-4015,SUSE-SLE-Product-HA-15-SP2-2022-4015,openSUSE-SLE-15.3-2022-4015 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20224015-1/ Link for SUSE-SU-2022:4015-1 https://lists.suse.com/pipermail/sle-security-updates/2022-November/012945.html E-Mail link for SUSE-SU-2022:4015-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1198408 SUSE Bug 1198408 https://bugzilla.suse.com/1199782 SUSE Bug 1199782 https://www.suse.com/security/cve/CVE-2022-24836/ SUSE CVE CVE-2022-24836 page https://www.suse.com/security/cve/CVE-2022-29181/ SUSE CVE CVE-2022-29181 page Image SLES15-SP3-BYOS-Azure Image SLES15-SP3-BYOS-EC2-HVM Image SLES15-SP3-BYOS-GCE Image SLES15-SP3-HPC-BYOS-Azure Image SLES15-SP3-HPC-BYOS-EC2-HVM Image SLES15-SP3-HPC-BYOS-GCE Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE Image SLES15-SP3-SAP-Azure-LI-BYOS-Production Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production Image SLES15-SP3-SAP-BYOS-Azure Image SLES15-SP3-SAP-BYOS-EC2-HVM Image SLES15-SP3-SAP-BYOS-GCE Image SLES15-SP3-SAPCAL-Azure Image SLES15-SP3-SAPCAL-EC2-HVM Image SLES15-SP3-SAPCAL-GCE SUSE Linux Enterprise High Availability Extension 15 SUSE Linux Enterprise High Availability Extension 15 SP1 SUSE Linux Enterprise High Availability Extension 15 SP2 SUSE Linux Enterprise Module for Basesystem 15 SP3 openSUSE Leap 15.3 ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 ruby2.5-rubygem-nokogiri-doc-1.8.5-150000.3.9.1 ruby2.5-rubygem-nokogiri-testsuite-1.8.5-150000.3.9.1 ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-BYOS-Azure ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-BYOS-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-BYOS-GCE ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-HPC-BYOS-Azure ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-HPC-BYOS-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-HPC-BYOS-GCE ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-SAP-Azure-LI-BYOS-Production ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-SAP-BYOS-Azure ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-SAP-BYOS-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-SAP-BYOS-GCE ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-SAPCAL-Azure ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Image SLES15-SP3-SAPCAL-GCE ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of SUSE Linux Enterprise High Availability Extension 15 ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of SUSE Linux Enterprise High Availability Extension 15 SP1 ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of SUSE Linux Enterprise High Availability Extension 15 SP2 ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP3 ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of openSUSE Leap 15.3 ruby2.5-rubygem-nokogiri-doc-1.8.5-150000.3.9.1 as a component of openSUSE Leap 15.3 ruby2.5-rubygem-nokogiri-testsuite-1.8.5-150000.3.9.1 as a component of openSUSE Leap 15.3 Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. CVE-2022-24836 Image SLES15-SP3-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-HPC-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-HPC-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-HPC-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAP-Azure-LI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAP-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAP-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAP-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAPCAL-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAPCAL-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAPCAL-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 openSUSE Leap 15.3:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 openSUSE Leap 15.3:ruby2.5-rubygem-nokogiri-doc-1.8.5-150000.3.9.1 openSUSE Leap 15.3:ruby2.5-rubygem-nokogiri-testsuite-1.8.5-150000.3.9.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20224015-1/ https://www.suse.com/security/cve/CVE-2022-24836.html CVE-2022-24836 https://bugzilla.suse.com/1198408 SUSE Bug 1198408 Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent. CVE-2022-29181 Image SLES15-SP3-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-HPC-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-HPC-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-HPC-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAP-Azure-LI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAP-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAP-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAP-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAPCAL-Azure:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAPCAL-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 Image SLES15-SP3-SAPCAL-GCE:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 openSUSE Leap 15.3:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 openSUSE Leap 15.3:ruby2.5-rubygem-nokogiri-doc-1.8.5-150000.3.9.1 openSUSE Leap 15.3:ruby2.5-rubygem-nokogiri-testsuite-1.8.5-150000.3.9.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20224015-1/ https://www.suse.com/security/cve/CVE-2022-29181.html CVE-2022-29181 https://bugzilla.suse.com/1199782 SUSE Bug 1199782