From 40140d95c829fe9ccb42fab5002b884be033029c Mon Sep 17 00:00:00 2001 From: cicd Date: Mon, 4 Aug 2025 10:18:53 +0200 Subject: [PATCH] commit by to_remotes 2025-08-04 10:18:53 +0200 from cicd --- bundle-audit-time.txt | 2 +- bundle-audit.json | 2 +- report.txt | 19 +------------------ update-info.txt | 6 +----- 4 files changed, 4 insertions(+), 25 deletions(-) diff --git a/bundle-audit-time.txt b/bundle-audit-time.txt index 0ee973e..2ea774d 100644 --- a/bundle-audit-time.txt +++ b/bundle-audit-time.txt @@ -1 +1 @@ -2025-08-04T10:16:25+02:00 +2025-08-04T10:18:52+02:00 diff --git a/bundle-audit.json b/bundle-audit.json index a169e3d..ee28c7b 100644 --- a/bundle-audit.json +++ b/bundle-audit.json @@ -1 +1 @@ -{"version":"0.9.2","created_at":"2025-08-04 10:16:24 +0200","results":[{"type":"unpatched_gem","gem":{"name":"nokogiri","version":"1.18.8"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/nokogiri/GHSA-353f-x4gh-cqq8.yml","id":"GHSA-353f-x4gh-cqq8","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8","title":"Nokogiri patches vendored libxml2 to resolve multiple CVEs","date":"2025-07-21","description":"## Summary\n\nNokogiri v1.18.9 patches the vendored libxml2 to address\nCVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795,\nand CVE-2025-49796.\n\n## Impact and severity\n\n### CVE-2025-6021\n\nA flaw was found in libxml2's xmlBuildQName function, where integer\noverflows in buffer size calculations can lead to a stack-based\nbuffer overflow. This issue can result in memory corruption or a\ndenial of service when processing crafted input.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae\n\n### CVE-2025-6170\n\nA flaw was found in the interactive shell of the xmllint command-line\ntool, used for parsing XML files. When a user inputs an overly long\ncommand, the program does not check the input size properly, which\ncan cause it to crash. This issue might allow attackers to run\nharmful code in rare configurations without modern protections.\n\nNVD claims a severity of 2.5 Low\n(CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1\n\n### CVE-2025-49794\n\nA use-after-free vulnerability was found in libxml2. This issue\noccurs when parsing XPath elements under certain circumstances when\nthe XML schematron has the schema elements.\nThis flaw allows a malicious actor to craft a malicious XML document\nused as input for libxml, resulting in the program's crash using\nlibxml or other possible undefined behaviors.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n### CVE-2025-49795\n\nA NULL pointer dereference vulnerability was found in libxml2 when\nprocessing XPath XML expressions. This flaw allows an attacker to\ncraft a malicious XML input to libxml2, leading to a denial of service.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278\n\n### CVE-2025-49796\n\nA vulnerability was found in libxml2. Processing certain sch:name\nelements from the input XML file can trigger a memory corruption\nissue. This flaw allows an attacker to craft a malicious XML input\nfile that can lead libxml to crash, resulting in a denial of service\nor other possible undefined behavior due to sensitive data being\ncorrupted in memory.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n## Affected Versions\n\n- Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2\n\n## Patched Versions\n\n- Nokogiri >= 1.18.9\n\n## Mitigation\n\nUpgrade to Nokogiri v1.18.9 or later.\n\nUsers who are unable to upgrade Nokogiri may also choose a more\ncomplicated mitigation: compile and link Nokogiri against patched\nexternal libxml2 libraries which will also address these same issues.\n","cvss_v2":null,"cvss_v3":null,"cve":null,"osvdb":null,"ghsa":"353f-x4gh-cqq8","unaffected_versions":[],"patched_versions":[">= 1.18.9"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"thor","version":"1.3.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/thor/CVE-2025-54314.yml","id":"CVE-2025-54314","url":"https://github.com/advisories/GHSA-mqcp-p2hv-vw6x","title":"Thor can construct an unsafe shell command from library input.","date":"2025-07-20","description":"Thor before 1.4.0 can construct an unsafe shell command\nfrom library input.\n","cvss_v2":null,"cvss_v3":2.8,"cve":"2025-54314","osvdb":null,"ghsa":"mqcp-p2hv-vw6x","unaffected_versions":[],"patched_versions":[">= 1.4.0"],"criticality":"low"}}]} \ No newline at end of file +{"version":"0.9.2","created_at":"2025-08-04 10:18:52 +0200","results":[]} \ No newline at end of file diff --git a/report.txt b/report.txt index ef48cbe..8900c02 100644 --- a/report.txt +++ b/report.txt @@ -1,18 +1 @@ -Name: nokogiri -Version: 1.18.8 -GHSA: GHSA-353f-x4gh-cqq8 -Criticality: Unknown -URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8 -Title: Nokogiri patches vendored libxml2 to resolve multiple CVEs -Solution: update to '>= 1.18.9' - -Name: thor -Version: 1.3.2 -CVE: CVE-2025-54314 -GHSA: GHSA-mqcp-p2hv-vw6x -Criticality: Low -URL: https://github.com/advisories/GHSA-mqcp-p2hv-vw6x -Title: Thor can construct an unsafe shell command from library input. -Solution: update to '>= 1.4.0' - -Vulnerabilities found! +No vulnerabilities found diff --git a/update-info.txt b/update-info.txt index 4a5b67e..e64b914 100644 --- a/update-info.txt +++ b/update-info.txt @@ -1,9 +1,5 @@ Updating ruby-advisory-db ... -Updating 77e2113..f4e7641 -Fast-forward - gems/ruby-saml/CVE-2025-54572.yml | 89 +++++++++++++++++++++++++++++++++++++++ - 1 file changed, 89 insertions(+) - create mode 100644 gems/ruby-saml/CVE-2025-54572.yml +Already up to date. Updated ruby-advisory-db ruby-advisory-db: advisories: 997 advisories