commit by to_remotes 2025-07-23 13:44:44 +0200 from cicd

2025-07-23 13:44:44 +02:00 · 2025-07-23 13:44:44 +02:00 · 48085a050a
parent 6b2f472148
commit 48085a050a
4 changed files with 30 additions and 11 deletions
--- a/bundle-audit-time.txt
+++ b/bundle-audit-time.txt
@ -1 +1 @@
-2025-07-17T11:00:02+02:00
+2025-07-23T13:44:43+02:00
--- a/bundle-audit.json
+++ b/bundle-audit.json
@ -1 +1 @@
-{"version":"0.9.2","created_at":"2025-07-17 11:00:02 +0200","results":[]}
+{"version":"0.9.2","created_at":"2025-07-23 13:44:43 +0200","results":[{"type":"unpatched_gem","gem":{"name":"nokogiri","version":"1.18.8"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/nokogiri/GHSA-353f-x4gh-cqq8.yml","id":"GHSA-353f-x4gh-cqq8","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8","title":"Nokogiri patches vendored libxml2 to resolve multiple CVEs","date":"2025-07-21","description":"## Summary\n\nNokogiri v1.18.9 patches the vendored libxml2 to address\nCVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795,\nand CVE-2025-49796.\n\n## Impact and severity\n\n### CVE-2025-6021\n\nA flaw was found in libxml2's xmlBuildQName function, where integer\noverflows in buffer size calculations can lead to a stack-based\nbuffer overflow. This issue can result in memory corruption or a\ndenial of service when processing crafted input.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae\n\n### CVE-2025-6170\n\nA flaw was found in the interactive shell of the xmllint command-line\ntool, used for parsing XML files. When a user inputs an overly long\ncommand, the program does not check the input size properly, which\ncan cause it to crash. This issue might allow attackers to run\nharmful code in rare configurations without modern protections.\n\nNVD claims a severity of 2.5 Low\n(CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1\n\n### CVE-2025-49794\n\nA use-after-free vulnerability was found in libxml2. This issue\noccurs when parsing XPath elements under certain circumstances when\nthe XML schematron has the <sch:name path=\"...\"/> schema elements.\nThis flaw allows a malicious actor to craft a malicious XML document\nused as input for libxml, resulting in the program's crash using\nlibxml or other possible undefined behaviors.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n### CVE-2025-49795\n\nA NULL pointer dereference vulnerability was found in libxml2 when\nprocessing XPath XML expressions. This flaw allows an attacker to\ncraft a malicious XML input to libxml2, leading to a denial of service.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278\n\n### CVE-2025-49796\n\nA vulnerability was found in libxml2. Processing certain sch:name\nelements from the input XML file can trigger a memory corruption\nissue. This flaw allows an attacker to craft a malicious XML input\nfile that can lead libxml to crash, resulting in a denial of service\nor other possible undefined behavior due to sensitive data being\ncorrupted in memory.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n## Affected Versions\n\n- Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2\n\n## Patched Versions\n\n- Nokogiri >= 1.18.9\n\n## Mitigation\n\nUpgrade to Nokogiri v1.18.9 or later.\n\nUsers who are unable to upgrade Nokogiri may also choose a more\ncomplicated mitigation: compile and link Nokogiri against patched\nexternal libxml2 libraries which will also address these same issues.\n","cvss_v2":null,"cvss_v3":null,"cve":null,"osvdb":null,"ghsa":"353f-x4gh-cqq8","unaffected_versions":[],"patched_versions":[">= 1.18.9"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"thor","version":"1.3.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/thor/CVE-2025-54314.yml","id":"CVE-2025-54314","url":"https://github.com/advisories/GHSA-mqcp-p2hv-vw6x","title":"Thor can construct an unsafe shell command from library input.","date":"2025-07-20","description":"Thor before 1.4.0 can construct an unsafe shell command\nfrom library input.\n","cvss_v2":null,"cvss_v3":2.8,"cve":"2025-54314","osvdb":null,"ghsa":"mqcp-p2hv-vw6x","unaffected_versions":[],"patched_versions":[">= 1.4.0"],"criticality":"low"}}]}
--- a/report.txt
+++ b/report.txt
@ -1 +1,18 @@
-No vulnerabilities found
+Name: nokogiri
 Version: 1.18.8
 GHSA: GHSA-353f-x4gh-cqq8
 Criticality: Unknown
 URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8
 Title: Nokogiri patches vendored libxml2 to resolve multiple CVEs
 Solution: update to '>= 1.18.9'
 Name: thor
 Version: 1.3.2
 CVE: CVE-2025-54314
 GHSA: GHSA-mqcp-p2hv-vw6x
 Criticality: Low
 URL: https://github.com/advisories/GHSA-mqcp-p2hv-vw6x
 Title: Thor can construct an unsafe shell command from library input.
 Solution: update to '>= 1.4.0'
 Vulnerabilities found!
--- a/update-info.txt
+++ b/update-info.txt
@ -1,12 +1,14 @@
 Updating ruby-advisory-db ...
-Updating 098479f..6434583
+Updating 6434583..0340343
 Fast-forward
- gems/measured/GHSA-29g5-m8v7-v564.yml | 25 +++++++++++++++++++++++++
+ gems/jquery-ui-rails/CVE-2022-31160.yml |   2 +-
- gems/resolv/CVE-2025-24294.yml        |  2 ++
+ gems/nokogiri/GHSA-353f-x4gh-cqq8.yml   | 106 ++++++++++++++++++++++++++++++++
- 2 files changed, 27 insertions(+)
+ gems/thor/CVE-2025-54314.yml            |  21 +++++++
- create mode 100644 gems/measured/GHSA-29g5-m8v7-v564.yml
+ 3 files changed, 128 insertions(+), 1 deletion(-)
 create mode 100644 gems/nokogiri/GHSA-353f-x4gh-cqq8.yml
 create mode 100644 gems/thor/CVE-2025-54314.yml
 Updated ruby-advisory-db
 ruby-advisory-db:
-  advisories:	994 advisories
+  advisories:	996 advisories
-  last updated:	2025-07-16 11:49:53 -0700
+  last updated:	2025-07-22 13:46:49 -0700
-  commit:	64345835b110ae8054160496b5241f9f7d5ec6cc
+  commit:	034034313869350fa93437bb82666183991b8b56
`@ -1 +1 @@`
	`2025-07-17T11:00:02+02:00`	`2025-07-23T13:44:43+02:00`
		`@ -1 +1 @@`
			`{"version":"0.9.2","created_at":"2025-07-17 11:00:02 +0200","results":[]}`				{"version":"0.9.2","created_at":"2025-07-23 13:44:43 +0200","results":[{"type":"unpatched_gem","gem":{"name":"nokogiri","version":"1.18.8"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/nokogiri/GHSA-353f-x4gh-cqq8.yml","id":"GHSA-353f-x4gh-cqq8","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8","title":"Nokogiri patches vendored libxml2 to resolve multiple CVEs","date":"2025-07-21","description":"## Summary\n\nNokogiri v1.18.9 patches the vendored libxml2 to address\nCVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795,\nand CVE-2025-49796.\n\n## Impact and severity\n\n### CVE-2025-6021\n\nA flaw was found in libxml2's xmlBuildQName function, where integer\noverflows in buffer size calculations can lead to a stack-based\nbuffer overflow. This issue can result in memory corruption or a\ndenial of service when processing crafted input.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae\n\n### CVE-2025-6170\n\nA flaw was found in the interactive shell of the xmllint command-line\ntool, used for parsing XML files. When a user inputs an overly long\ncommand, the program does not check the input size properly, which\ncan cause it to crash. This issue might allow attackers to run\nharmful code in rare configurations without modern protections.\n\nNVD claims a severity of 2.5 Low\n(CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1\n\n### CVE-2025-49794\n\nA use-after-free vulnerability was found in libxml2. This issue\noccurs when parsing XPath elements under certain circumstances when\nthe XML schematron has the <sch:name path=\"...\"/> schema elements.\nThis flaw allows a malicious actor to craft a malicious XML document\nused as input for libxml, resulting in the program's crash using\nlibxml or other possible undefined behaviors.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n### CVE-2025-49795\n\nA NULL pointer dereference vulnerability was found in libxml2 when\nprocessing XPath XML expressions. This flaw allows an attacker to\ncraft a malicious XML input to libxml2, leading to a denial of service.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278\n\n### CVE-2025-49796\n\nA vulnerability was found in libxml2. Processing certain sch:name\nelements from the input XML file can trigger a memory corruption\nissue. This flaw allows an attacker to craft a malicious XML input\nfile that can lead libxml to crash, resulting in a denial of service\nor other possible undefined behavior due to sensitive data being\ncorrupted in memory.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n## Affected Versions\n\n- Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2\n\n## Patched Versions\n\n- Nokogiri >= 1.18.9\n\n## Mitigation\n\nUpgrade to Nokogiri v1.18.9 or later.\n\nUsers who are unable to upgrade Nokogiri may also choose a more\ncomplicated mitigation: compile and link Nokogiri against patched\nexternal libxml2 libraries which will also address these same issues.\n","cvss_v2":null,"cvss_v3":null,"cve":null,"osvdb":null,"ghsa":"353f-x4gh-cqq8","unaffected_versions":[],"patched_versions":[">= 1.18.9"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"thor","version":"1.3.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/thor/CVE-2025-54314.yml","id":"CVE-2025-54314","url":"https://github.com/advisories/GHSA-mqcp-p2hv-vw6x","title":"Thor can construct an unsafe shell command from library input.","date":"2025-07-20","description":"Thor before 1.4.0 can construct an unsafe shell command\nfrom library input.\n","cvss_v2":null,"cvss_v3":2.8,"cve":"2025-54314","osvdb":null,"ghsa":"mqcp-p2hv-vw6x","unaffected_versions":[],"patched_versions":[">= 1.4.0"],"criticality":"low"}}]}