Package Instance

Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171
## Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to
[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).

libxml2 v2.13.6 addresses:

- CVE-2025-24928
  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
- CVE-2024-56171
   - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

## Impact

### CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation
errors if the input contains a long (~3kb) QName prefix.

### CVE-2024-56171

Use-after-free is possible during validation against untrusted
XML Schemas (.xsd) and, potentially, validation of untrusted documents
against trusted Schemas if they make use of `xsd:keyref` in combination
with recursively defined types that have additional identity constraints.

Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs
## Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to
[v1.1.43](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43).

libxslt v1.1.43 resolves:

- CVE-2025-24855: Fix use-after-free of XPath context node
- CVE-2024-55549: Fix UAF related to excluded namespaces

## Impact

### CVE-2025-24855

- "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node"
- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855

### CVE-2024-55549

- "Use-after-free related to excluded result prefixes"
- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549

Update packaged libxml2 to v2.10.4 to resolve multiple CVEs
### Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to
[v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

- [CVE-2023-29469](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469): Hashing of
  empty dict strings isn't deterministic
- [CVE-2023-28484](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484): Fix null deref
  in xmlSchemaFixupComplexType
- Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.14.3`,
and only if the _packaged_ libraries are being used. If you've overridden defaults at installation
time to use _system_ libraries instead of packaged libraries, you should instead pay attention to
your distro's `libxml2` release announcements.


### Mitigation

Upgrade to Nokogiri `>= 1.14.3`.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against external libraries libxml2 `>= 2.10.4` which will also address these
same issues.


### Impact

No public information has yet been published about the security-related issues other than the
upstream commits. Examination of those changesets indicate that the more serious issues relate to
libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

- [\[CVE-2023-29469\] Hashing of empty dict strings isn't deterministic (09a2dd45)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64)
- [\[CVE-2023-28484\] Fix null deref in xmlSchemaFixupComplexType (647e072e)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f)
- [schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6)