Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xerces 2.11.0 is vulnerable to CVE-2012-0881 #1831

Closed
flavorjones opened this issue Dec 4, 2018 · 1 comment
Closed

xerces 2.11.0 is vulnerable to CVE-2012-0881 #1831

flavorjones opened this issue Dec 4, 2018 · 1 comment

Comments

@flavorjones
Copy link
Member

flavorjones commented Dec 4, 2018

Credit for reporting this vulnerability to Nokogiri Core goes to David Moore @grajagandev who works at Looker. Thanks, David!

This issue is being opened for nokogiri core to triage this vulnerability within the context of Nokogiri.


CVE-2012-0881 Resources

Vulnerabile versions of Xerces-Java is present in JRuby versions of the Nokogiri gem from v1.5.0 to v1.8.5, inclusive.


Mitigation: (once Nokogiri v1.9.0 is released) JRuby users should upgrade to Nokogiri v1.9.0

@flavorjones
Copy link
Member Author

Commit 2ecd40e updates Xerces-Java to v2.12.0 which according to the NVD entry linked above addresses this vulnerability.

I'll also note that we've scheduled work on the two following issues to help make versions of vendored Java libraries both more discoverable and easier to maintain and update:

both of which are planned for Nokogiri v1.10.0 (but track the milestones on each of those issues for up-to-date information).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant