New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate Ubuntu libxml2 patches in USN-3424-1 #1673

Closed
flavorjones opened this Issue Sep 19, 2017 · 8 comments

Comments

Projects
None yet
3 participants
@flavorjones
Member

flavorjones commented Sep 19, 2017

USN-3424-1: libxml2 vulnerabilities

Present in rootfs

https://github.com/cloudfoundry/security-notices/issues/336
Ubuntu Security Notice USN-3424-1

18th September, 2017

libxml2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 17.04
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Summary

Several security issues were fixed in libxml2.

Software description

libxml2 - GNOME XML library
Details

It was discovered that a type confusion error existed in libxml2. An
attacker could use this to specially construct XML data that
could cause a denial of service or possibly execute arbitrary
code. (CVE-2017-0663)

It was discovered that libxml2 did not properly validate parsed entity
references. An attacker could use this to specially construct XML
data that could expose sensitive information. (CVE-2017-7375)

It was discovered that a buffer overflow existed in libxml2 when
handling HTTP redirects. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-7376)

Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in
libxml2 when handling elements. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-9047)

Marcel Böhme and Van-Thuan Pham discovered a buffer overread
in libxml2 when handling elements. An attacker could use this
to specially construct XML data that could cause a denial of
service. (CVE-2017-9048)

Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads
in libxml2 when handling parameter-entity references. An attacker
could use these to specially construct XML data that could cause a
denial of service. (CVE-2017-9049, CVE-2017-9050)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libxml2 2.9.4+dfsg1-2.2ubuntu0.1
Ubuntu 16.04 LTS:
libxml2 2.9.3+dfsg1-1ubuntu0.3
Ubuntu 14.04 LTS:
libxml2 2.9.1+dfsg1-3ubuntu4.10
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-0663, CVE-2017-7375, CVE-2017-7376, CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-9050
@flavorjones

This comment has been minimized.

Member

flavorjones commented Sep 19, 2017

It's likely that upgrading to libxml 2.9.5 will pull in these patches, I need to confirm that. If that's the case I expect to be able to turn around an update today.

@flavorjones

This comment has been minimized.

Member

flavorjones commented Sep 19, 2017

@flavorjones

This comment has been minimized.

Member

flavorjones commented Sep 19, 2017

checking if these patches are all in 2.9.5, looks like they are (note two patches are repeated in two CVEs):

curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 92b9e8c8b3787068565a1820ba575d042f9eec66
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 90ccb58242866b0ba3edbef8fe44214a101c2b3e
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 932cc9896ab41475d4aa429c27d9afd175959d74
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains e26630548e7d138d2c560844c43820b6767251e3
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
@flavorjones

This comment has been minimized.

Member

flavorjones commented Sep 19, 2017

OK, mitigation is going to be updating nokogiri to libxml 2.9.5, which is actually master and ready to release.

@flavorjones flavorjones added this to the 1.8.1 milestone Sep 19, 2017

@flavorjones

This comment has been minimized.

Member

flavorjones commented Sep 19, 2017

v1.8.1 has shipped, updating nokogiri to libxml 2.9.5.

@knu

This comment has been minimized.

Member

knu commented Sep 21, 2017

Thanks for your hard work, as always!

@flavorjones

This comment has been minimized.

Member

flavorjones commented Sep 21, 2017

🙇

@jormon

This comment has been minimized.

jormon commented Sep 21, 2017

👏

amatriain added a commit to amatriain/feedbunch that referenced this issue Sep 21, 2017

Updated nokogiri gen 1.8.0 -> 1.8.1
This fixes a libxml vulnerability, see:

sparklemotion/nokogiri#1673

dazoakley added a commit to dazoakley/immagine that referenced this issue Sep 22, 2017

dazoakley added a commit to dazoakley/immagine that referenced this issue Sep 22, 2017

dazoakley added a commit to dazoakley/immagine that referenced this issue Sep 22, 2017

jsugarman added a commit to ministryofjustice/Claim-for-Crown-Court-Defence that referenced this issue Sep 22, 2017

Update nokogiri
Security vulnerabilities identified in libxml2
as used by nokogiri.

Affected versions: Prior to 1.8.1
Fixed versions: 1.8.1
Identifier: USN-3424-1
Solution: Upgrade to latest version.
Source: sparklemotion/nokogiri#1673

jsugarman added a commit to ministryofjustice/peoplefinder that referenced this issue Sep 22, 2017

Update nokogiri 1.7.2 --> 1.8.1
Security vulnerabilities identified in libxml2
as used by nokogiri.

Affected versions: Prior to 1.8.1
Fixed versions: 1.8.1
Identifier: USN-3424-1
Solution: Upgrade to latest version.
Source: sparklemotion/nokogiri#1673

Mr0grog added a commit to edgi-govdata-archiving/web-monitoring-db that referenced this issue Sep 22, 2017

Update gems; fixes Nokogiri vulnerability
More info on vulnerability (fixed in v1.8.1): sparklemotion/nokogiri#1673
This also updates lots of other assorted gems that were a little behind, but doesn't touch some that have had major revisions (e.g. JWT, which I still need to look into and upgrade).

Mr0grog added a commit to edgi-govdata-archiving/web-monitoring-db that referenced this issue Sep 22, 2017

Update gems; fixes Nokogiri vulnerability
More info on vulnerability (fixed in v1.8.1): sparklemotion/nokogiri#1673
This also updates lots of other assorted gems that were a little behind, but doesn't touch some that have had major revisions (e.g. JWT, which I still need to look into and upgrade).

Mr0grog added a commit to edgi-govdata-archiving/web-monitoring-db that referenced this issue Sep 22, 2017

Update gems; fixes Nokogiri vulnerability
More info on vulnerability (fixed in v1.8.1): sparklemotion/nokogiri#1673
This also updates lots of other assorted gems that were a little behind, but doesn't touch some that have had major revisions (e.g. JWT, which I still need to look into and upgrade).

joshua5201 added a commit to joshua5201/administrate that referenced this issue Sep 23, 2017

Update gems for CVE-2017-9050
Name: nokogiri
Version: 1.7.2
Advisory: CVE-2017-9050
Criticality: Unknown
URL: sparklemotion/nokogiri#1673
Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Solution: upgrade to >= 1.8.1

AdrianCann added a commit to sophomoric/maddie that referenced this issue Oct 1, 2017

Update nokogiri based on ruby advisory
* Maybe I should write a script to automatically update nokogiri :)

ruby-advisory-db: 288 advisories
Name: nokogiri
Version: 1.7.0.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and
libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.7.0.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt
1.1.29
Solution: upgrade to >= 1.7.2

Name: nokogiri
Version: 1.7.0.1
Advisory: CVE-2017-9050
Criticality: Unknown
URL: sparklemotion/nokogiri#1673
Title: Nokogiri gem, via libxml, is affected by DoS and RCE
vulnerabilities
Solution: upgrade to >= 1.8.1

timurvafin added a commit to fs/rewards-bamboohr that referenced this issue Oct 17, 2017

Update nokogiri to 1.8.1 to close CVE-2017-905
URL: sparklemotion/nokogiri#1673
Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities

timurvafin added a commit to fs/rewards-bamboohr that referenced this issue Oct 17, 2017

Update nokogiri to 1.8.1 to close CVE-2017-905 (#5)
URL: sparklemotion/nokogiri#1673
Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities

mikeweaver added a commit to Invoca/pre_deploy_checker that referenced this issue Oct 20, 2017

Update nokogiri to resolve security issue
Name: nokogiri
Version: 1.8.0
Advisory: CVE-2017-9050
Criticality: Unknown
URL: sparklemotion/nokogiri#1673
Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Solution: upgrade to >= 1.8.1

elthariel added a commit to elthariel/omnibus-software that referenced this issue Nov 19, 2017

update libxml2 and libxslt
Based on the work done in the nokogiri project to address multiple CVEs
in libxml2 and libxslt.

https://usn.ubuntu.com/usn/usn-3424-1/

CVE-2017-0663, CVE-2017-7375, CVE-2017-7376, CVE-2017-9047,
CVE-2017-9048, CVE-2017-9049, CVE-2017-9050

sparklemotion/nokogiri#1673
sparklemotion/nokogiri#1670

SHA256 generated from downloads. Downloads verified with GPG:

    gpg --verify libxml2-2.9.5.tar.gz.asc libxml2-2.9.5.tar.gz
    gpg: Signature made Mon Sep  4 09:00:53 2017 EDT using RSA key ID 596BEA5D
    gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@redhat.com>" [unknown]
    gpg:                 aka "Daniel Veillard <Daniel.Veillard@w3.org>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: C744 15BA 7C9C 7F78 F02E  1DC3 4606 B8A5 DE95 BC1F
         Subkey fingerprint: DB46 681B B91A DCEA 170F  A2D4 1558 8B26 596B EA5D

    gpg --verify libxslt-1.1.30.tar.gz.asc libxslt-1.1.30.tar.gz
    gpg: Signature made Mon Sep  4 09:36:06 2017 EDT using RSA key ID 596BEA5D
    gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@redhat.com>" [unknown]
    gpg:                 aka "Daniel Veillard <Daniel.Veillard@w3.org>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: C744 15BA 7C9C 7F78 F02E  1DC3 4606 B8A5 DE95 BC1F
         Subkey fingerprint: DB46 681B B91A DCEA 170F  A2D4 1558 8B26 596B EA5D

Signed-off-by: Robb Kidd <robb@thekidds.org>

michael-harrison added a commit to michael-harrison/exlibris-primo that referenced this issue Dec 6, 2017

havenwood pushed a commit to havenwood/connect-api-examples that referenced this issue Dec 7, 2017

Shannon Skipper
Bump Rails and Nokogiri versions to address CVEs
Name: actionview
Version: 4.2.6
Advisory: CVE-2016-6316
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Title: Possible XSS Vulnerability in Action View
Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1

Name: activerecord
Version: 4.2.6
Advisory: CVE-2016-6317
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
Title: Unsafe Query Generation Risk in Active Record
Solution: upgrade to >= 4.2.7.1

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2017-9050
URL: sparklemotion/nokogiri#1673
Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Solution: upgrade to >= 1.8.1

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2016-4658
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2015-8806
URL: sparklemotion/nokogiri#1473
Title: Denial of service or RCE from libxml2 and libxslt
Solution: upgrade to >= 1.6.8

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2017-5029
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

henare added a commit to everypolitician/viewer-sinatra that referenced this issue Dec 14, 2017

Update nokogiri
The currently installed version has a security advisory:

```
Name: nokogiri
Version: 1.8.0
Advisory: CVE-2017-9050
Criticality: Unknown
URL: sparklemotion/nokogiri#1673
Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Solution: upgrade to >= 1.8.1
```

mokhan added a commit to saml-kit/xml-kit that referenced this issue Jan 7, 2018

mokhan added a commit to saml-kit/saml-kit that referenced this issue Jan 10, 2018

remove explicit nokogiri dependency.
xml-kit specifies a minimum version that has fixes for
nokogiri that ships a version of libxml that does not have a CVE.

sparklemotion/nokogiri#1673

matthewhughes112 added a commit to Accelo/docs that referenced this issue Apr 11, 2018

Update dependency nokogiri from 1.6.8.1 to 1.8.2
This is to address a vulnerability, for further details:
sparklemotion/nokogiri#1673

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment