| Name | CVE-2022-24839 |
| Description | org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1021739 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| nekohtml (PTS) | bullseye | 1.9.22-1.1 | vulnerable |
| sid, trixie, bookworm | 1.9.22.noko2-0.1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| nekohtml | source | (unstable) | 1.9.22.noko2-0.1 | | | 1021739 |
Notes
[bullseye] - nekohtml <no-dsa> (Minor issue)
[buster] - nekohtml <no-dsa> (Minor issue)
[stretch] - nekohtml <no-dsa> (Minor issue)
https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d