Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Fix JRuby memory exhaustion vulnerability #1087

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
4 participants
Contributor

ocher commented Apr 30, 2014

This pull request fixes JRuby memory exhaustion vulnerability which may lead to DoS attack.

It is very similar to the one described here:
https://groups.google.com/forum/#!msg/ruby-security-ann/DeJpjTAg1FA/CADdUQ6N_qMJ

@knu knu added the jruby label May 7, 2014

Contributor

ocher commented May 22, 2014

Any problems with this pull request? I believe that it is a pretty serious bug and should be merged ASAP.

Owner

flavorjones commented May 22, 2014

@yokolet or @jvshahid - can one of you please review this PR?

Member

jvshahid commented May 22, 2014

Looking

@jvshahid jvshahid closed this in a098ddf May 22, 2014

Owner

flavorjones commented May 22, 2014

Merged, thanks. Will package up 1.6.3.rc1 today.

@rosy1280 rosy1280 referenced this pull request in sul-dlss/common-accessioning Jul 29, 2015

Merged

Update nokogiri #33

@boffbowsh boffbowsh added a commit to alphagov/publisher that referenced this pull request Sep 29, 2015

@boffbowsh boffbowsh Security update for nokogiri af3edb7

@Koronen Koronen added a commit to swanson/stringer that referenced this pull request Jan 24, 2016

@Koronen Koronen Update vulnerable gems
Updates four vulnerable gems, as reported by the `bundler-audit` gem.

- [X] activesupport
- [X] nokogiri
- [X] rack
- [X] rest-client

    $ bundle-audit check
    Name: activesupport
    Version: 4.0.13
    Advisory: CVE-2015-3227
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
    Title: Possible Denial of Service attack in Active Support
    Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-5312
    Criticality: High
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
    Title: Nokogiri gem contains several vulnerabilities in libxml2
    Solution: upgrade to >= 1.6.7.1

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-7499
    Criticality: Medium
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
    Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in
           libxml2
    Solution: upgrade to >= 1.6.7.2

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-1819
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1374
    Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
    Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

    Name: nokogiri
    Version: 1.6.1
    Advisory: 118481
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1087
    Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory
           Consumption
    Remote DoS
    Solution: upgrade to >= 1.6.3

    Name: rack
    Version: 1.5.2
    Advisory: CVE-2015-3225
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
    Title: Potential Denial of Service Vulnerability in Rack
    Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6

    Name: rest-client
    Version: 1.6.7
    Advisory: CVE-2015-1820
    Criticality: Unknown
    URL: rest-client/rest-client#369
    Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie
           headers in 30x redirection responses
    Solution: upgrade to >= 1.8.0

    Name: rest-client
    Version: 1.6.7
    Advisory: CVE-2015-3448
    Criticality: Unknown
    URL: http://www.osvdb.org/show/osvdb/117461
    Title: Rest-Client Gem for Ruby logs password information in plaintext
    Solution: upgrade to >= 1.7.3

    Vulnerabilities found!
abed0d6

@Koronen Koronen added a commit to swanson/stringer that referenced this pull request Jan 24, 2016

@Koronen Koronen Update vulnerable gems
Updates four vulnerable gems, as reported by the `bundler-audit` gem.

- [X] activesupport
- [X] nokogiri
- [X] rack
- [X] rest-client

```
$ bundle-audit check
Name: activesupport
Version: 4.0.13
Advisory: CVE-2015-3227
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Title: Possible Denial of Service attack in Active Support
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-5312
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
Title: Nokogiri gem contains several vulnerabilities in libxml2
Solution: upgrade to >= 1.6.7.1

Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-7499
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in
       libxml2
Solution: upgrade to >= 1.6.7.2

Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-1819
Criticality: Unknown
URL: sparklemotion/nokogiri#1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

Name: nokogiri
Version: 1.6.1
Advisory: 118481
Criticality: Unknown
URL: sparklemotion/nokogiri#1087
Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory
       Consumption
Remote DoS
Solution: upgrade to >= 1.6.3

Name: rack
Version: 1.5.2
Advisory: CVE-2015-3225
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
Title: Potential Denial of Service Vulnerability in Rack
Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6

Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie
       headers in 30x redirection responses
Solution: upgrade to >= 1.8.0

Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3

Vulnerabilities found!
```
4884737

@CloCkWeRX CloCkWeRX added a commit to CloCkWeRX/planningalerts-app that referenced this pull request Apr 2, 2016

@CloCkWeRX CloCkWeRX Upgrade sanitize, nokogiri fixing:
Name: nokogiri
Version: 1.5.11
Advisory: CVE-2015-1819
Criticality: Unknown
URL: sparklemotion/nokogiri#1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

Name: nokogiri
Version: 1.5.11
Advisory: 118481
Criticality: Unknown
URL: sparklemotion/nokogiri#1087
Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption
Remote DoS
Solution: upgrade to >= 1.6.3
b236dbd

@beeflamian beeflamian added a commit to square/shuttle that referenced this pull request Jun 9, 2016

@brandonweeks @beeflamian brandonweeks + beeflamian Update nokogiri to 1.6.7.2
Resolves:
- CVE-2015-1819
- CVE-2015-5312
- CVE-2015-7499
- sparklemotion/nokogiri#1087
53bfd3c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment