Security update for rubygem-nokogiri SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:0251-1 Final 1 1 2021-02-01T10:20:05Z current 2021-02-01T10:20:05Z 2021-02-01T10:20:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-nokogiri This update for rubygem-nokogiri fixes the following issues: rubygem-nokogiri was updated to 1.8.5 (bsc#1156722). Security issues fixed: - CVE-2019-5477: Fixed a command injection vulnerability (bsc#1146578). - CVE-2020-26247: Fixed an XXE vulnerability in Nokogiri::XML::Schema (bsc#1180507). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP3-BYOS-Azure-2021-251,Image SLES15-SP3-BYOS-EC2-HVM-2021-251,Image SLES15-SP3-BYOS-GCE-2021-251,Image SLES15-SP3-EC2-HVM-2021-251,Image SLES15-SP3-GCE-2021-251,Image SLES15-SP3-HPC-Azure-2021-251,Image SLES15-SP3-HPC-BYOS-Azure-2021-251,Image SLES15-SP3-HPC-BYOS-EC2-HVM-2021-251,Image SLES15-SP3-HPC-BYOS-GCE-2021-251,Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure-2021-251,Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM-2021-251,Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE-2021-251,Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure-2021-251,Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM-2021-251,Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE-2021-251,Image SLES15-SP3-SAP-Azure-2021-251,Image SLES15-SP3-SAP-Azure-LI-BYOS-Production-2021-251,Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production-2021-251,Image SLES15-SP3-SAP-BYOS-Azure-2021-251,Image SLES15-SP3-SAP-BYOS-EC2-HVM-2021-251,Image SLES15-SP3-SAP-BYOS-GCE-2021-251,Image SLES15-SP3-SAP-EC2-HVM-2021-251,Image SLES15-SP3-SAP-GCE-2021-251,Image SLES15-SP3-SAPCAL-Azure-2021-251,Image SLES15-SP3-SAPCAL-EC2-HVM-2021-251,Image SLES15-SP3-SAPCAL-GCE-2021-251,SUSE-2021-251,SUSE-SLE-Product-HA-15-2021-251,SUSE-SLE-Product-HA-15-SP1-2021-251,SUSE-SLE-Product-HA-15-SP2-2021-251 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20210251-1/ Link for SUSE-SU-2021:0251-1 https://lists.suse.com/pipermail/sle-security-updates/2021-February/008258.html E-Mail link for SUSE-SU-2021:0251-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1146578 SUSE Bug 1146578 https://bugzilla.suse.com/1156722 SUSE Bug 1156722 https://bugzilla.suse.com/1180507 SUSE Bug 1180507 https://www.suse.com/security/cve/CVE-2019-5477/ SUSE CVE CVE-2019-5477 page https://www.suse.com/security/cve/CVE-2020-26247/ SUSE CVE CVE-2020-26247 page Image SLES15-SP3-BYOS-Azure Image SLES15-SP3-BYOS-EC2-HVM Image SLES15-SP3-BYOS-GCE Image SLES15-SP3-EC2-HVM Image SLES15-SP3-GCE Image SLES15-SP3-HPC-Azure Image SLES15-SP3-HPC-BYOS-Azure Image SLES15-SP3-HPC-BYOS-EC2-HVM Image SLES15-SP3-HPC-BYOS-GCE Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE Image SLES15-SP3-SAP-Azure Image SLES15-SP3-SAP-Azure-LI-BYOS-Production Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production Image SLES15-SP3-SAP-BYOS-Azure Image SLES15-SP3-SAP-BYOS-EC2-HVM Image SLES15-SP3-SAP-BYOS-GCE Image SLES15-SP3-SAP-EC2-HVM Image SLES15-SP3-SAP-GCE Image SLES15-SP3-SAPCAL-Azure Image SLES15-SP3-SAPCAL-EC2-HVM Image SLES15-SP3-SAPCAL-GCE SUSE Linux Enterprise High Availability Extension 15 SUSE Linux Enterprise High Availability Extension 15 SP1 SUSE Linux Enterprise High Availability Extension 15 SP2 ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 ruby2.5-rubygem-nokogiri-doc-1.8.5-3.6.1 ruby2.5-rubygem-nokogiri-testsuite-1.8.5-3.6.1 ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-BYOS-Azure ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-BYOS-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-BYOS-GCE ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-GCE ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-HPC-Azure ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-HPC-BYOS-Azure ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-HPC-BYOS-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-HPC-BYOS-GCE ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-SAP-Azure ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-SAP-Azure-LI-BYOS-Production ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-SAP-BYOS-Azure ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-SAP-BYOS-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-SAP-BYOS-GCE ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-SAP-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-SAP-GCE ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-SAPCAL-Azure ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Image SLES15-SP3-SAPCAL-GCE ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of SUSE Linux Enterprise High Availability Extension 15 ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of SUSE Linux Enterprise High Availability Extension 15 SP1 ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of SUSE Linux Enterprise High Availability Extension 15 SP2 A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4. CVE-2019-5477 Image SLES15-SP3-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-HPC-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-HPC-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-HPC-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-HPC-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-Azure-LI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAPCAL-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAPCAL-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAPCAL-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210251-1/ https://www.suse.com/security/cve/CVE-2019-5477.html CVE-2019-5477 https://bugzilla.suse.com/1146578 SUSE Bug 1146578 Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4. CVE-2020-26247 Image SLES15-SP3-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-HPC-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-HPC-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-HPC-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-HPC-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-Azure-LI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-BYOS-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-BYOS-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-BYOS-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAP-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAPCAL-Azure:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAPCAL-EC2-HVM:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 Image SLES15-SP3-SAPCAL-GCE:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210251-1/ https://www.suse.com/security/cve/CVE-2020-26247.html CVE-2020-26247 https://bugzilla.suse.com/1180507 SUSE Bug 1180507