-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2017-5029.yml
45 lines (36 loc) · 1.39 KB
/
CVE-2017-5029.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
---
gem: nokogiri
cve: 2017-5029
ghsa: pf6m-fxpq-fg8v
url: https://github.com/sparklemotion/nokogiri/issues/1634
title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
date: 2017-05-09
description: |
nokogiri version 1.7.2 has been released.
This is a security update based on 1.7.1, addressing two upstream
libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical
and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.
These patches only apply when using Nokogiri's vendored libxslt
package. If you're using your distro's system libraries, there's no
need to upgrade from 1.7.0.1 or 1.7.1 at this time.
Full details are available at the github issue linked to in the
changelog below.
-----
# 1.7.2 / 2017-05-09
## Security Notes
[MRI] Upstream libxslt patches are applied to the vendored libxslt
1.1.29 which address CVE-2017-5029 and CVE-2016-4738.
For more information:
* https://github.com/sparklemotion/nokogiri/issues/1634
* http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
cvss_v3: 8.8
patched_versions:
- ">= 1.7.2"
related:
cve:
- 2016-4738
- 2017-5029
url:
- http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
- http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html