nokogiri-1.13.9 in v4.4.2 has vulnerability(CVE-2022-23476)

Question

nokogiri-1.13.9 in v4.4.2 has vulnerability(CVE-2022-23476)

paragsn opened this issue a year ago · comments

Parag Ninawe commented a year ago

I can see the Gemfile in master branch has updated the version of nokogiri

Is there any plan for new Release ?

Daijiro Fukuda · Answer 1 · Wed Apr 05 2023 09:28:00 GMT+0800 (China Standard Time)

Isn't it v4.4.2?

We are planning new Release.
Please wait a little longer for scheduled dates, etc.

CVE-2022-23476 does not affect Fluentd.
in_windows_eventlog2 uses Nokogiri with render_as_xml true, but it reads only XML formatted by Windows.
So, it is unlikely that it could be affected by this vulnerability by loading invalid XML.

Parag Ninawe · Answer 2 · Wed Apr 05 2023 15:42:44 GMT+0800 (China Standard Time)

Thank you for the response. Yes, I wanted to highlight for the latest version v4.4.2

Takuro Ashie · Answer 3 · Wed May 10 2023 15:35:27 GMT+0800 (China Standard Time)

We released td-agent v5, bundled nokogiri is updated to 1.14.3.

https://github.com/fluent/fluent-package-builder/releases/tag/v4.5.0