[Patch/Fixed] Integer Overflow or Wraparound in libxml2 affects Nokogiri

[imhunterand]

Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to v2.9.14.

libxml2 v2.9.14 addresses CVE-2022-29824. This version also includes several security-related bug fixes for which CVEs were not created, including a potential double-free, potential memory leaks, and integer-overflow.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.5, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Impact

CVSS3 score: 8.6/ 10 CWE-190

[nickumia-reisys]

Newer versions have been merged in main

• https://github.com/GSA/sdg-indicators-usa/commit/03e1fd63e7efb8d848232997158964681e78ee0d
• https://github.com/GSA/sdg-indicators-usa/pull/1048

Sorry it took so long for us to get to this. Thanks for your contributions though 👍