-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.2370
                       ruby-nokogiri security update
                                16 May 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ruby-nokogiri
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-24836  

Original Bulletin: 
   http://www.debian.org/lts/security/2022/dla-3003

Comment: CVSS (Max):  7.5 CVE-2022-24836 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3003-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
May 13, 2022                                  https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : ruby-nokogiri
Version        : 1.6.8.1-1+deb9u2
CVE ID         : CVE-2022-24836
Debian Bug     : #1009787

It was discovered that there was a potential denial of service attack
in ruby-nokogiri, a HTML, XML, SAX etc. parser written in/for the Ruby
programming language. This was caused by the use of inefficient
regular expressions that were susceptible to excessive backtracking.

For Debian 9 "Stretch", this problem has been fixed in version
1.6.8.1-1+deb9u2.

We recommend that you upgrade your ruby-nokogiri packages.

For the detailed security status of ruby-nokogiri please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-nokogiri

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmJ+lVEACgkQHpU+J9Qx
HliDmg/9F9ctpo33nuRd9DRqdaHCtolFKJSPBG4b7c67mSSZB8oSEdC3KFkMGT6u
PLPRc9NC8FdeTJvDbwCMuJzkcZu8pzEYaHFgdtuanBUUHLissch38nncdv+ZjRUj
hMynD1OUiT/aZQvOo09fvwatFFOcRDZ8zpGzj/NGs/QLJT9BB6tlCPmKY4itsXw+
3zPEqnpVhbFcJvl66T3T6rhnrD1qMjEh/u3z2gsfeBwHXSJud164utPjYN0PvEUt
GVd0Noee28JBtvZQKL29cpN5MOUOmsqCGoDDSUppsSnwonkx/ow+L8ztK2Y74XNK
jio2VCRt/7AY+WtzfD96uHAXv6tqzqsoVknQYdQTsovRbNDIA7cbUimhEqGo7NjI
RCrEhQ2WOwFTxE+hhYS0FOpPr/0vqsL7z/6iqFUp9oyHkt7HEk7K8GZDPr2+R2WO
OI4mfhjghc/HVnLs0B++5WzJkkGN0QGdxx74dL+xzoGsGDd+02FTfwmECn7mOmbL
J/7W0SVuIn7KbPieInCwcCRghylAnyPO1Y2zJHfQHFE+KDrwhn3ew6R64BRx1iej
seMpYbOi2pvJm8scgF90wdzqj1xAnOFdv+JHkiYvKdj8sZ4tv3Wy3Ww0yxRcB0GT
ZrTtLAtNGL12CmNvIQQ2jQaj62Gvgnax90xkIqeYZ8ibqo6ODnw=
=8v6/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYoG9hMkNZI30y1K9AQiSdxAApnDcKlr5uUvXbGoHzI062QL/jhGNqjnF
HEIvilQLn8YRJfoKkU/b4sFYzAj+ODVVE1f01vJwZFNpBaxrVWxzBaTRDzoINJEt
BQPHOW6UmOOzUqBS1p5NRvAdZqCl/PAnjNA5UYZswzu65D/bK4LsV2UT1vj+6ihW
QH7SxV7HatKksBBfJP5pLVp0fMIfFrfzzNXF1M8OW8KRruhIfN0zcomV/vFiB0m0
Sblk1/KNBVdS6URFDaDyljnPPLpeFSBDb3Z/9ok8GsGP78ZGGIUFFvyOtfW1fWsu
pmPz1ApGvofwA/5Et8TtLVEFqKnt4POCENLV4OeNt4FLIlmIz1sxlB19/fsm+ytq
yvC5RHpvJINTXonzkCkiQrfVXJw6IP5a+JTyWKOomSfuA2zZhpYUQbthWMq92lp3
oqr/duddPhsETCo24puaTr0l//9EvTv91kKsw1dM3ySlqsB5Z9AZ9mHItXKqivvn
EVhxLU4xH6JrHshet80RQd50a9aNeHp3gtOSJu22CvO/1PvHa2vI8AtC9Yj87Y2k
Kyk/TbPpAD+X+5BdYZ1bE6PvAPisHTi2zQDi48T5FEk3kFysvaDKyrmHgO+HPLWO
2tYOaLn6/1gszZUjM/mhv0USnds7/x4U2MNBfdn37w6YYTmKFpCHGAOUdFZNGKDl
U6rQEBSPVvo=
=YXgo
-----END PGP SIGNATURE-----