Accepted ruby-nokogiri 1.10.0+dfsg1-2+deb10u1 (source) into oldstable
- To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
- Subject: Accepted ruby-nokogiri 1.10.0+dfsg1-2+deb10u1 (source) into oldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Wed, 12 Oct 2022 13:40:25 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: ruby-nokogiri_1.10.0+dfsg1-2+deb10u1_source.changes
- Debian-source: ruby-nokogiri
- Debian-suite: oldstable
- Debian-version: 1.10.0+dfsg1-2+deb10u1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=LUdF3dopBSO3BVQYIQPmsScxf7csCg3ahcCnRL7ukBA=; b=g6emB4u4hnys7HguQg6/B1mz+r UrRPYYzSVcPNSQGPfCFUixZrPptLofoYhMD/eGQmo9756Wja4wLpX6rJ71BDYdj8j6HQ/8WSm6blK 6f79ioFCnxK561NYczfUtXsSRG1BIjEMJTkSmWdCqpbUIWSeuk2z9nWbwTDQmmpq/SM6cDUUC0sbr sU/06BopEEFkQ12JpdHzE5f8K/8ewr4AvGnto41gLCBxEoUTpmxUVWP/HNODW1SzuIU6naB1IIl2d JWVWavSF/m8b95F7ojkJVZJvp/ipMq+faKEbnEjY6hotd7oNecv6sQnOkunUbY4zz+wKpEAJGntWT UHkSCU8w==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1oibyD-00CdCu-3j@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Oct 2022 19:39:06 +0200
Source: ruby-nokogiri
Architecture: source
Version: 1.10.0+dfsg1-2+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Closes: 934802 978967 1009787
Changes:
ruby-nokogiri (1.10.0+dfsg1-2+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the LTS Security Team.
* CVE-2019-5477: command injection vulnerability allows commands to be
executed in a subprocess via Ruby's `Kernel.open` method. Processes
are vulnerable only if the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user
input as the filename. This vulnerability appears in code generated by
the Rexical gem versions v1.0.6 and earlier. Rexical is used by
Nokogiri to generate lexical scanner code for parsing CSS
queries. (Closes: #934802)
* CVE-2020-26247: XXE vulnerability: XML Schemas parsed by
Nokogiri::XML::Schema are trusted by default, allowing external
resources to be accessed over the network, potentially enabling XXE or
SSRF attacks. This behavior is counter to the security policy followed
by Nokogiri maintainers, which is to treat all input as untrusted by
default whenever possible. (Closes: #978967)
* CVE-2022-24836: Nokogiri contains an inefficient regular expression
that is susceptible to excessive backtracking when attempting to
detect encoding in HTML documents. (Closes: #1009787)
Checksums-Sha1:
19d051a68d9a2f76f66435abf7436c6a6f74d5cc 2289 ruby-nokogiri_1.10.0+dfsg1-2+deb10u1.dsc
534b8ad0333f6e3d44f06c141f4579cf2681ee2c 447908 ruby-nokogiri_1.10.0+dfsg1.orig.tar.xz
015d0329704a11f2fb2cfc8f048073fc78e5279b 14284 ruby-nokogiri_1.10.0+dfsg1-2+deb10u1.debian.tar.xz
4d4d41e64cc145826f9761dd1457a135c779ef99 9458 ruby-nokogiri_1.10.0+dfsg1-2+deb10u1_amd64.buildinfo
Checksums-Sha256:
5e1e818634b9b6234e207e3c9806d8100466343a3ce3d8e8cf8fb7611fe72a16 2289 ruby-nokogiri_1.10.0+dfsg1-2+deb10u1.dsc
0d6f82906605169e50087fcc67789b3962916d60eb8a54d113b1ccdc5a51c043 447908 ruby-nokogiri_1.10.0+dfsg1.orig.tar.xz
d7c956504a23e72be419dff26c8dd34413d89e5e9d8103bd27426b2cc58113a4 14284 ruby-nokogiri_1.10.0+dfsg1-2+deb10u1.debian.tar.xz
7a82c86a3133453fb27aaae662c4edf41f6923857fe160fc05be1a280bd276f7 9458 ruby-nokogiri_1.10.0+dfsg1-2+deb10u1_amd64.buildinfo
Files:
9f400cabc21d3cdf19271182f88f77c4 2289 ruby optional ruby-nokogiri_1.10.0+dfsg1-2+deb10u1.dsc
7c2b60f530dce00727c1c19ff0a48b58 447908 ruby optional ruby-nokogiri_1.10.0+dfsg1.orig.tar.xz
69dd35b03568e41a9b929f8aab62cfc5 14284 ruby optional ruby-nokogiri_1.10.0+dfsg1-2+deb10u1.debian.tar.xz
5c818a556dda7c6e332bfbe8dc00690b 9458 ruby optional ruby-nokogiri_1.10.0+dfsg1-2+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmNGwTAACgkQDTl9HeUl
XjDh7Q//apBhI2OxcoXD/rFTeXTbsJvKqUf1nKOLYb2pE/fiSS46cS2zUFHWsStj
jWiZW62gR1WdTgBVRzeouYCqVjUWGTCJy6TxMHtTOstUMmbdbBaVAq/eIW4rTwOi
u4falBIc1uMEN/+gmGHGoMuJ5j/RDLc8Ra+xLUMlI5ZjNd3JdLOe04LvSRtpBVAK
XqHbEsQe/t+Q8MhKAYunirHsXFHEAqwIaNIQBrpeXa7PA0TMIpzRj3vmk6T/d4qZ
Judkd60F9MNGoI/eUqCsxjdMOO8pQvnBj2/WaelZkqFCs5B94kTaO623xE1OTXnK
/MP1vdHXh+VkDelk5gVHpvtKSdO/KDIMen+eUJdzpKUGrT9pcncIzMl371oUMkHw
J9qU7+O19BrMwuihL8GQYek0VwoTprw2ijnwVqVWJItog3o4D2ittjyJXq4RA3Yt
E4gi+Se2OlTW3g18RhmwKhMOB/miKoS4SA9CrdNFaGzS9Jrx/PzB/2OYjOqB4RhJ
TsLyN4dUN/GD1GWDLyvIrx3ZduErhkrhMr2RIftMz6z6hC143Cy35HNYBOlPUszN
VsnZezySYHHUIzy9/Zk94ytyswNxG7mHdqgQdnYqEXA0KIvDgn5seGdUQHuYSQZ8
/rFcKIsPsoQtDmotSPlpX0nCnTKf9yGEVefdpGenW2QTJgPL4Zc=
=O4ke
-----END PGP SIGNATURE-----