Update 2 files (!28026) · Merge requests · GitLab.org / security-products / advisory-database · GitLab

Jayson Salazar Rodriguez requested to merge jdsalaro-fix-CVE-2023-28484-CVE-2023-29469-GMS-2023-1115 into master May 02, 2024

closes #284 (closed)

The actual advisory for nokogiri lives at https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/nokogiri/GMS-2023-1115.yml

It hasn't been assigned a CVE, only a GitHub advisory.

It was created to reflect these CVEs associated with its libxml2 dependency:

CVE-2023-29469: Hashing of empty dict strings isn't deterministic CVE-2023-28484: Fix null deref in xmlSchemaFixupComplexType

keep The actual advisory for nokogiri lives at https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/nokogiri/GMS-2023-1115.yml

should be invalidated https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/nokogiri/CVE-2023-28484.yml

should be invalidated https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/nokogiri/CVE-2023-29469.yml

valid https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/conan/libxml2/CVE-2023-28484.yml

valid https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/conan/libxml2/CVE-2023-29469.yml