oss-sec mailing list archives
Re: CVE Request: rubygem-nokogiri Multiple DoS vulnerabilities
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 26 Dec 2013 21:30:38 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/26/2013 12:47 PM, Ratul Gupta wrote: I double checked these issues, they are subtly different, one is infinite loop from error parsing and the other fails to apply limits.
Hello, 1) https://bugzilla.redhat.com/show_bug.cgi?id=1046663 Nokogiri gem for Ruby was found to be affected by a DoS vulnerability, where an error when parsing XML documents can be exploited by an attacker to cause an infinite loop and subsequently exhaust memory and cause a crash via a specially crafted XML document.
Please use CVE-2013-6460 for this issue.
2) https://bugzilla.redhat.com/show_bug.cgi?id=1046664 Nokogiri gem for Ruby was found to be affected by a DoS vulnerability, where an error when parsing XML entities and can be exploited to exhaust memory and cause a crash via a specially crafted XML document including external entity references.
Please use CVE-2013-6461 for this issue.
Can CVE's please be assigned to these issues?
Please note original references: References: https://bugs.gentoo.org/show_bug.cgi?id=495218 Original Advisory: https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSvQJuAAoJEBYNRVNeJnmT+QoP/1c2L1HrrqrCWwk+sM60P1WB iqVF+N643XkNsNgFbK/3eAa2T1Bsj3uOKqxyEGLePPGblqH3+kPzqlT+IPCPy/0H UiiPSjO43WFv8kmSHo6hzIzn7us7oww8DNK4xBWItLYMfP/5SK/ANv5viFJBTCTu K5nrbUvTOIwWueAUMY/DgXLpfcssdITp7VH70uFrSgF+LzDtXGeOdscIMpu85FVU 5+sqJQy2yE939Q3XlEZzN1IeTwLghZkVb2WX5HLUBGEVBkFRvB8bY+nl4OtERSS1 R+ya6X4h9XAVyKXE3lgvHI1MFA3D8gotJqK8xPFjnuLBvcR0Scx63DfSf2hatcqI dbyQ8xR/qVYJGcOXpAENAPjrfyBCnd1GiozjECgZfB2A1T8+ahK4LWawd037lWbx +izFHURKFThLpdikdiwZ3hAZVjQpR3oHlxbEW83QlZPu2xCGDn66GtfFDtjHm8DA xxrgkMEkBlvRRCstVJsU7op5TBoCBofi8rXzpdWd/vtwuTg/PHV6fVb63PEPFkVd aBsL9oxFPW1WjJwU0JRYfSo2EeBg1laGWIbfy29xVX3deVOdMTWb2h3v9xAMhkEs qtTO8bLgB6Dym5wkugaj05PniZEGUoBHPOcli0ApjEFys4tLkctP1tBcwD39sPfc Xea35dJTkozZtlrQMBAU =Wrs6 -----END PGP SIGNATURE-----
Current thread:
- CVE Request: rubygem-nokogiri Multiple DoS vulnerabilities Ratul Gupta (Dec 26)
- Re: CVE Request: rubygem-nokogiri Multiple DoS vulnerabilities Kurt Seifried (Dec 26)