[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2019-5477: ruby-nokogiri issue caused by rexical

hi Mike,

On Fri, Aug 30, 2019 at 03:22:23PM +0200, Salvatore Bonaccorso wrote:
> Hi Mike,
> On Fri, Aug 30, 2019 at 11:25:16AM +0000, Mike Gabriel wrote:
> > However, to address CVE-2019-5477 it should also be associated to the
> > rexical src:pkg in stretch and later. @security-team: can you please update
> > data/CVE/list appropriately (instead of me updating it and you correcting my
> > change)? Thanks!
> The CVE is very specific assigned for Nokogiri itself (Nokogiri does
> not regnerate the code with rexical AFAICS, but will double check
> again). Thus not updating it for now, but I have a pending request to
> MITRE to clarify the scope of the CVE.

MITRE confirmed the scope can be covered by the change in rexical as
well considering it a vulnerability in that source as well.

Thus following that, I added it now.


Reply to: