Add CVE-2019-11068 for nokogiri

reedloden · reedloden · commit 7045b4f70928 · 2019-04-22T10:38:28.000-07:00
diff --git a/gems/nokogiri/CVE-2019-11068.yml b/gems/nokogiri/CVE-2019-11068.yml
@@ -0,0 +1,49 @@
+---
+gem: nokogiri
+cve: 2019-11068
+date: 2019-04-22
+url: https://github.com/sparklemotion/nokogiri/issues/1892
+title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
+description: |
+  Nokogiri v1.10.3 has been released.
+
+  This is a security release. It addresses a CVE in upstream libxslt rated as
+  "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More
+  details are available below.
+
+  If you're using your distro's system libraries, rather than Nokogiri's
+  vendored libraries, there's no security need to upgrade at this time, though
+  you may want to check with your distro whether they've patched this
+  (Canonical has patched Ubuntu packages). Note that this patch is not yet (as
+  of 2019-04-22) in an upstream release of libxslt.
+
+  Full details about the security update are available in Github Issue
+  [#1892] https://github.com/sparklemotion/nokogiri/issues/1892.
+
+  ---
+
+  CVE-2019-11068
+
+  Permalinks are:
+  - Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068
+  - Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068
+
+  Description:
+
+  > libxslt through 1.1.33 allows bypass of a protection mechanism
+  > because callers of xsltCheckRead and xsltCheckWrite permit access
+  > even upon receiving a -1 error code. xsltCheckRead can return -1 for
+  > a crafted URL that is not actually invalid and is subsequently
+  > loaded.
+
+  Canonical rates this as "Priority: Medium".
+
+  Debian rates this as "NVD Severity: High (attack range: remote)".
+
+patched_versions:
+  - ">= 1.10.3"
+
+related:
+  url:
+    - https://groups.google.com/forum/#!msg/ruby-security-ann/_y80o1zZlOs/k4SDX6hoAAAJ
+    - https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
