Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459 · GHSA-r3w4-36x6-7r99 · GitHub Advisory Database · GitHub

Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Low severity GitHub Reviewed Published May 14, 2024 to the GitHub Advisory Database • Updated May 16, 2024

Withdrawn This advisory was withdrawn on May 16, 2024

Package

nokogiri (RubyGems)

Affected versions

< 1.16.5

Patched versions

1.16.5

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-r95h-9x8f-r3f7. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to
2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only
in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
2024-05-13 08:30 EDT, nokogiri maintainers begin triage
2024-05-13 10:05 EDT, nokogiri v1.16.5 is released
and this GHSA made public

References

Published to the GitHub Advisory Database May 14, 2024

Reviewed May 14, 2024

Withdrawn May 16, 2024

Last updated May 16, 2024