xerces 2.11.0 is vulnerable to CVE-2012-0881

[flavorjones]

Credit for reporting this vulnerability to Nokogiri Core goes to David Moore @grajagandev who works at Looker. Thanks, David!

This issue is being opened for nokogiri core to triage this vulnerability within the context of Nokogiri.

---

CVE-2012-0881 Resources

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2012-0881
  • CVSS v3.0 Severity and Metrics: Base Score: 7.5 HIGH
  • Affects: versions up to (including) 2.11.0

Vulnerabile versions of Xerces-Java is present in JRuby versions of the Nokogiri gem from v1.5.0 to v1.8.5, inclusive.

---

Mitigation: (once Nokogiri v1.9.0 is released) JRuby users should upgrade to Nokogiri v1.9.0

[flavorjones]

Commit 2ecd40e updates Xerces-Java to v2.12.0 which according to the NVD entry linked above addresses this vulnerability.

I'll also note that we've scheduled work on the two following issues to help make versions of vendored Java libraries both more discoverable and easier to maintain and update:

• use jar-dependencies for requiring jars #1253 using jar-dependencies
• Update nokogiri -v to include versions of new libraries #1395 printing versions of all java dependencies in nokogiri -v

both of which are planned for Nokogiri v1.10.0 (but track the milestones on each of those issues for up-to-date information).