Skip to content

Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Low severity GitHub Reviewed Published May 13, 2024 in sparklemotion/nokogiri • Updated May 16, 2024

Package

bundler nokogiri (RubyGems)

Affected versions

< 1.16.5

Patched versions

1.16.5

Description

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

  • 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
  • 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
  • 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

References

@flavorjones flavorjones published to sparklemotion/nokogiri May 13, 2024
Published to the GitHub Advisory Database May 13, 2024
Reviewed May 13, 2024
Last updated May 16, 2024

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-r95h-9x8f-r3f7

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.