Your message dated Mon, 29 Jun 2026 00:46:49 +0000
with message-id <[email protected]>
and subject line Bug#1140769: fixed in ruby-nokogiri 1.19.4+dfsg-1
has caused the Debian Bug report #1140769,
regarding ruby-nokogiri: CVE-2026-57234 CVE-2026-57235 CVE-2026-57236
CVE-2026-57434 CVE-2026-57435 CVE-2026-57436 CVE-2026-57437 CVE-2026-57438
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140769: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140769
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-nokogiri
Version: 1.19.3+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for ruby-nokogiri.
CVE-2026-57234[0]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, the NONET parse option, which
| Nokogiri turns on by default for Nokogiri::XML::Schema (see
| CVE-2020-26247), was not correctly enforced on the JRuby
| implementation. As a result, a schema parsed with default options
| could still cause external resources to be fetched over the network,
| potentially enabling SSRF or XXE attacks. This vulnerability is
| fixed in 1.19.4.
CVE-2026-57235[1]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[]
| (and its alias #slice) checked the requested index against the node
| set's bounds using a 32-bit-truncated copy of the index. A large
| negative index could pass the check and then be used at full width,
| reading outside the node set's storage. On CRuby this is an out-of-
| bounds read that typically crashes the process; on JRuby it is not
| memory-unsafe but returns an incorrect node. This vulnerability is
| fixed in 1.19.4.
CVE-2026-57236[2]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, calling Document#encoding=
| with an invalid encoding (e.g., a non-string, or a string containing
| a null byte) raises an exception, but only after freeing the
| document's current encoding string without replacing it. The
| document is left referencing freed memory, so the next call to
| Document#encoding reads invalid memory, which can cause a segfault
| or leak freed bytes into a Ruby String. Affects the CRuby (libxml2)
| implementation only; JRuby is not affected. This vulnerability is
| fixed in 1.19.4.
CVE-2026-57434[3]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, Nokogiri contains a bug when
| calling certain methods on allocated-but-uninitialized native
| wrapper classes that inherit from Nokogiri::XML::Node. This caused a
| NULL pointer dereference that could crash the process. This
| vulnerability is fixed in 1.19.4.
CVE-2026-57435[4]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, Nokogiri’s CRuby native
| extension could leave a Ruby wrapper pointing to freed memory when
| replacing the value of an XML attribute. If Ruby code had already
| accessed an attribute child node, Nokogiri::XML::Attr#value= could
| free the underlying native child node while the wrapper remained
| reachable through the document node cache. A later use of the freed
| child node or a Ruby GC mark could dereference an invalid pointer,
| causing an invalid read and a possible segfault. This vulnerability
| is fixed in 1.19.4.
CVE-2026-57436[5]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, Nokogiri::XML::Document#root=
| validated only that the new root was a Nokogiri::XML::Node, allowing
| a DTD node to be set as the document root. The result is a heap use-
| after-free during garbage collection or finalization, leading to an
| invalid memory read or potentially a segfault. This vulnerability is
| fixed in 1.19.4.
CVE-2026-57437[6]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext
| did not keep its source document alive for garbage collection. If an
| XPathContext outlived its document and the document was collected,
| evaluating an XPath expression could read invalid memory and
| potentially segfault. This is only reachable when application code
| constructs an XPathContext directly and lets the document become
| unreachable while continuing to use the context. The normal
| Document#xpath, #css, and related search methods are not affected,
| and it is not triggerable by malicious document input. This
| vulnerability is fixed in 1.19.4.
CVE-2026-57438[7]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, XInclude substitution
| performed by Nokogiri::XML::Node#do_xinclude replaced each
| <xi:include> in place, freeing the include node along with its
| children (such as <xi:fallback> and its descendants) and any
| namespaces declared on them. If an application had already exposed
| one of those nodes or namespaces to Ruby, the corresponding Ruby
| object was left pointing at freed memory. Using the object could
| result in invalid reads or writes to memory. This vulnerability is
| fixed in 1.19.4.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-57234
https://www.cve.org/CVERecord?id=CVE-2026-57234
[1] https://security-tracker.debian.org/tracker/CVE-2026-57235
https://www.cve.org/CVERecord?id=CVE-2026-57235
[2] https://security-tracker.debian.org/tracker/CVE-2026-57236
https://www.cve.org/CVERecord?id=CVE-2026-57236
[3] https://security-tracker.debian.org/tracker/CVE-2026-57434
https://www.cve.org/CVERecord?id=CVE-2026-57434
[4] https://security-tracker.debian.org/tracker/CVE-2026-57435
https://www.cve.org/CVERecord?id=CVE-2026-57435
[5] https://security-tracker.debian.org/tracker/CVE-2026-57436
https://www.cve.org/CVERecord?id=CVE-2026-57436
[6] https://security-tracker.debian.org/tracker/CVE-2026-57437
https://www.cve.org/CVERecord?id=CVE-2026-57437
[7] https://security-tracker.debian.org/tracker/CVE-2026-57438
https://www.cve.org/CVERecord?id=CVE-2026-57438
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-nokogiri
Source-Version: 1.19.4+dfsg-1
Done: Simon Quigley <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-nokogiri, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Quigley <[email protected]> (supplier of updated ruby-nokogiri package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 28 Jun 2026 19:14:47 -0500
Source: ruby-nokogiri
Architecture: source
Version: 1.19.4+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Simon Quigley <[email protected]>
Closes: 1140769 1141020
Changes:
ruby-nokogiri (1.19.4+dfsg-1) unstable; urgency=medium
.
* Team upload.
* New upstream release (Closes: #1140769):
- Fixes CVE-2026-57234, CVE-2026-57235, CVE-2026-57236, CVE-2026-57434,
CVE-2026-57435, CVE-2026-57436, CVE-2026-57437, and CVE-2026-57438.
* Add 0007-drop-encoding-test.patch to fix the FTBFS on riscv64
(Closes: #1141020).
Checksums-Sha1:
70459dfdbe1f3388894034fcc49dd5076b7edb2c 2449 ruby-nokogiri_1.19.4+dfsg-1.dsc
9c59fbd9cbd8a930c90ce9649d6967991d374f67 930344
ruby-nokogiri_1.19.4+dfsg.orig.tar.xz
dc5110438d412f5a87b7f002d5ccc30e0d985e5d 12224
ruby-nokogiri_1.19.4+dfsg-1.debian.tar.xz
c488032f7a650faed27b50684eced627a7f7b8fc 7870
ruby-nokogiri_1.19.4+dfsg-1_source.buildinfo
Checksums-Sha256:
7a2d3e74df32045cdd0a27b9903163967444117c63da8dd56b271c26b40da73b 2449
ruby-nokogiri_1.19.4+dfsg-1.dsc
626f45a9dcfe486b095cf054c907d23896c19dad0033eb555f4b9634688bbd9f 930344
ruby-nokogiri_1.19.4+dfsg.orig.tar.xz
6f3d4250374ab606e4372fcc26faef6f53d7d14cdbf85f8351cea12e3d0e8d19 12224
ruby-nokogiri_1.19.4+dfsg-1.debian.tar.xz
93e971145e3b2a1b29265b9818cdebf7eb713bb84d30c06d5d3a26cf5b67a7be 7870
ruby-nokogiri_1.19.4+dfsg-1_source.buildinfo
Files:
49b98ea8f57bc237efd44c2aebb5d1bd 2449 ruby optional
ruby-nokogiri_1.19.4+dfsg-1.dsc
b8abaa536f798589d3a0df78195ddbdf 930344 ruby optional
ruby-nokogiri_1.19.4+dfsg.orig.tar.xz
963f01405ecc43fc54bccc64c16e861e 12224 ruby optional
ruby-nokogiri_1.19.4+dfsg-1.debian.tar.xz
1687690fe01b2799663978f05820f5ef 7870 ruby optional
ruby-nokogiri_1.19.4+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXHq+og+GMEWcyMi14n8s+EWML6QFAmpBuSUACgkQ4n8s+EWM
L6TuXA//aMhM7a7kVujeUyLkYnBev2ExcxA0VVUJQoArC62RWFBpUivEWmroZRzs
ExwNZQjo3Y5HkzYahdRG7bATZiHvCJT4bYMAlmqrl6D+DPuzZRkkK+Q1IMlHHtpz
s79MsD19TerE15AhWkJMyZbZlmHcccpHX+BH3KgjAbusqLVyvTjBoPwOh6xed8mn
uBjm3FFdn2aSZcbUa1PSvkq5GRSt5JFbDt5cqxmB8UCu9LNcXaIrbD7XqTe+9k+D
dPSsvbb71G4H2sCG2H716y2PneZ3s+j20gLv31sRvMtP1yDV2G2vbbyDdNizGlzg
Q5w+H/ryYZbHqhCMUAKl4gv++HsNegM0gF7aX5y3sahRnG/sxloRBJm83kbz4XmK
dPhAdsHNvw1akWmjeHEtdev+3Fyei8zo4KaxhOv2pkh/wTMb1/t1baTZ89hiLP+M
kktBbbuXobXPcJf8qX3pfsjR+UGyZvfsCJOC5sQv7BrwXrQQeL66/ohN9ISQNN3p
d8KsMz1LovQiikkBlM0VW3Ud5t5cS/BEzVXHE1TzY6d9zPPC+ODJdMoE3y79GV2Z
k9MI9Vgz59cJA/HnruqaRltBd8ZvjstUqlJeDwFwr3t8XAZ1uQku3DE04rrnO07F
YVGoIt8YFg5eo8EnMMXyXWJRrZLeZFnQx7jrzqGoevciM7NBhL8=
=aRZ4
-----END PGP SIGNATURE-----
pgplUdUUmyLfG.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers