{"id":"MGASA-2021-0063","summary":"Updated ruby-nokogiri packages fix security vulnerabilities","details":"A command injection vulnerability in Nokogiri v1.10.3 and earlier allows\ncommands to be executed in a subprocess via Ruby's `Kernel.open` method.\nProcesses are vulnerable only if the undocumented method\n`Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as\nthe filename (CVE-2019-5477).\n\nIn Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML\nSchemas parsed by Nokogiri::XML::Schema are trusted by default, allowing\nexternal resources to be accessed over the network, potentially enabling XXE or\nSSRF attacks. This behavior is counter to the security policy followed by\nNokogiri maintainers, which is to treat all input as untrusted by default\nwhenever possible (CVE-2020-26247).\n\nThe ruby-nokogiri package has been updated to version 1.10.10 to fix\nCVE-2019-5477 and patched to fix CVE-2020-26247.\n","modified":"2026-04-16T04:43:59.695877689Z","published":"2021-02-04T13:40:24Z","upstream":["CVE-2019-5477","CVE-2020-26247"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0063.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28141"},{"type":"WEB","url":"https://github.com/sparklemotion/nokogiri/releases/"},{"type":"WEB","url":"https://lists.suse.com/pipermail/sle-security-updates/2021-January/008244.html"}],"affected":[{"package":{"name":"ruby-nokogiri","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/ruby-nokogiri?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10.10-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0063.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}