This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.

References:

• https://usn.ubuntu.com/4274-1/
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19956.html
• https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7595.html

Summary

Synthesis

CVE-2019-19956 was addressed in upstream libxml2 release v2.9.10, which has been vendored in Nokogiri since v1.10.5 on 2019-10-31.

CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.

Actions

Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8: https://github.com/sparklemotion/nokogiri/releases/tag/v1.10.8

If you are using Nokogiri <= v1.10.7, please upgrade to v1.10.8 or later.

History of this notification

• 2020-02-10: USN-4274-1 published by Canonical
• 2020-02-10: this github issue created
• 2020-02-10: Nokogiri v1.10.8 is released with patched libxml2