Source: rexical Version: 1.0.5-2 Severity: grave Tags: security upstream Justification: user security hole
Hi, The following vulnerability was published for rexical. CVE-2019-5477[0]: | A command injection vulnerability in Nokogiri v1.10.3 and earlier | allows commands to be executed in a subprocess via Ruby's | `Kernel.open` method. Processes are vulnerable only if the | undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being | called with unsafe user input as the filename. This vulnerability | appears in code generated by the Rexical gem versions v1.0.6 and | earlier. Rexical is used by Nokogiri to generate lexical scanner code | for parsing CSS queries. The underlying vulnerability was addressed in | Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in | Nokogiri v1.10.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-5477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477 Regards, Salvatore