Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix JRuby memory exhaustion vulnerability #1087

Closed
wants to merge 1 commit into from
Closed

Fix JRuby memory exhaustion vulnerability #1087

wants to merge 1 commit into from

Conversation

ocher
Copy link
Contributor

@ocher ocher commented Apr 30, 2014

This pull request fixes JRuby memory exhaustion vulnerability which may lead to DoS attack.

It is very similar to the one described here:
https://groups.google.com/forum/#!msg/ruby-security-ann/DeJpjTAg1FA/CADdUQ6N_qMJ

@ocher ocher mentioned this pull request May 5, 2014
Closed
@knu knu added the jruby label May 7, 2014
@ocher
Copy link
Contributor Author

ocher commented May 22, 2014

Any problems with this pull request? I believe that it is a pretty serious bug and should be merged ASAP.

@flavorjones
Copy link
Member

@yokolet or @jvshahid - can one of you please review this PR?

@jvshahid
Copy link
Member

Looking

@jvshahid jvshahid closed this in a098ddf May 22, 2014
@flavorjones
Copy link
Member

Merged, thanks. Will package up 1.6.3.rc1 today.

@rosy1280 rosy1280 mentioned this pull request Jul 29, 2015
Merged
boffbowsh added a commit to alphagov/publisher that referenced this pull request Sep 29, 2015
@boffbowsh
Security update for nokogiri
af3edb7 
sparklemotion/nokogiri#1087
Koronen added a commit to stringer-rss/stringer that referenced this pull request Jan 24, 2016
@Koronen
Update vulnerable gems
abed0d6 
Updates four vulnerable gems, as reported by the `bundler-audit` gem.

- [X] activesupport
- [X] nokogiri
- [X] rack
- [X] rest-client

    $ bundle-audit check
    Name: activesupport
    Version: 4.0.13
    Advisory: CVE-2015-3227
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
    Title: Possible Denial of Service attack in Active Support
    Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-5312
    Criticality: High
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
    Title: Nokogiri gem contains several vulnerabilities in libxml2
    Solution: upgrade to >= 1.6.7.1

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-7499
    Criticality: Medium
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
    Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in
           libxml2
    Solution: upgrade to >= 1.6.7.2

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-1819
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1374
    Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
    Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

    Name: nokogiri
    Version: 1.6.1
    Advisory: 118481
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1087
    Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory
           Consumption
    Remote DoS
    Solution: upgrade to >= 1.6.3

    Name: rack
    Version: 1.5.2
    Advisory: CVE-2015-3225
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
    Title: Potential Denial of Service Vulnerability in Rack
    Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6

    Name: rest-client
    Version: 1.6.7
    Advisory: CVE-2015-1820
    Criticality: Unknown
    URL: rest-client/rest-client#369
    Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie
           headers in 30x redirection responses
    Solution: upgrade to >= 1.8.0

    Name: rest-client
    Version: 1.6.7
    Advisory: CVE-2015-3448
    Criticality: Unknown
    URL: http://www.osvdb.org/show/osvdb/117461
    Title: Rest-Client Gem for Ruby logs password information in plaintext
    Solution: upgrade to >= 1.7.3

    Vulnerabilities found!
Koronen added a commit to stringer-rss/stringer that referenced this pull request Jan 24, 2016
@Koronen
Update vulnerable gems
4884737 
Updates four vulnerable gems, as reported by the `bundler-audit` gem.

- [X] activesupport
- [X] nokogiri
- [X] rack
- [X] rest-client

```
$ bundle-audit check
Name: activesupport
Version: 4.0.13
Advisory: CVE-2015-3227
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Title: Possible Denial of Service attack in Active Support
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-5312
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
Title: Nokogiri gem contains several vulnerabilities in libxml2
Solution: upgrade to >= 1.6.7.1

Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-7499
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in
       libxml2
Solution: upgrade to >= 1.6.7.2

Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-1819
Criticality: Unknown
URL: sparklemotion/nokogiri#1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

Name: nokogiri
Version: 1.6.1
Advisory: 118481
Criticality: Unknown
URL: sparklemotion/nokogiri#1087
Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory
       Consumption
Remote DoS
Solution: upgrade to >= 1.6.3

Name: rack
Version: 1.5.2
Advisory: CVE-2015-3225
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
Title: Potential Denial of Service Vulnerability in Rack
Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6

Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie
       headers in 30x redirection responses
Solution: upgrade to >= 1.8.0

Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3

Vulnerabilities found!
```
CloCkWeRX added a commit to CloCkWeRX/planningalerts-app that referenced this pull request Apr 2, 2016
@CloCkWeRX
Upgrade sanitize, nokogiri fixing:
b236dbd 
Name: nokogiri
Version: 1.5.11
Advisory: CVE-2015-1819
Criticality: Unknown
URL: sparklemotion/nokogiri#1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

Name: nokogiri
Version: 1.5.11
Advisory: 118481
Criticality: Unknown
URL: sparklemotion/nokogiri#1087
Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption
Remote DoS
Solution: upgrade to >= 1.6.3
beeflamian pushed a commit to square/shuttle that referenced this pull request Jun 9, 2016
@brandonweeks @beeflamian
Update nokogiri to 1.6.7.2
53bfd3c 
Resolves:
- CVE-2015-1819
- CVE-2015-5312
- CVE-2015-7499
- sparklemotion/nokogiri#1087
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
platform/jruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ocher @flavorjones @jvshahid @knu