Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN109

_____________________________________________________________________

DATE                : 20/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Nokogiri versions prior to
                                       1.18.3.

=====================================================================
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m
_____________________________________________________________________


Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928
and CVE-2024-56171

Low
flavorjones published GHSA-vvfq-8hwr-qm4m Feb 18, 2025

Package
nokogiri (RubyGems)

Affected versions
< 1.18.3

Patched versions
1.18.3


Description

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

    CVE-2025-24928
        described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
    CVE-2024-56171
        described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828


Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation
errors if the input contains a long (~3kb) QName prefix.


CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas
(.xsd) and, potentially, validation of untrusted documents against trusted
Schemas if they make use of xsd:keyref in combination with recursively
defined types that have additional identity constraints.


Severity
Low

CVE ID
No known CVE

Weaknesses
No CWEs

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================