Hi,

The following vulnerabilities were published for ruby-nokogiri.

CVE-2026-57234[0]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, the NONET parse option, which
| Nokogiri turns on by default for Nokogiri::XML::Schema (see
| CVE-2020-26247), was not correctly enforced on the JRuby
| implementation. As a result, a schema parsed with default options
| could still cause external resources to be fetched over the network,
| potentially enabling SSRF or XXE attacks. This vulnerability is
| fixed in 1.19.4.


CVE-2026-57235[1]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[]
| (and its alias #slice) checked the requested index against the node
| set's bounds using a 32-bit-truncated copy of the index. A large
| negative index could pass the check and then be used at full width,
| reading outside the node set's storage. On CRuby this is an out-of-
| bounds read that typically crashes the process; on JRuby it is not
| memory-unsafe but returns an incorrect node. This vulnerability is
| fixed in 1.19.4.


CVE-2026-57236[2]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, calling Document#encoding=
| with an invalid encoding (e.g., a non-string, or a string containing
| a null byte) raises an exception, but only after freeing the
| document's current encoding string without replacing it. The
| document is left referencing freed memory, so the next call to
| Document#encoding reads invalid memory, which can cause a segfault
| or leak freed bytes into a Ruby String. Affects the CRuby (libxml2)
| implementation only; JRuby is not affected. This vulnerability is
| fixed in 1.19.4.


CVE-2026-57434[3]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, Nokogiri contains a bug when
| calling certain methods on allocated-but-uninitialized native
| wrapper classes that inherit from Nokogiri::XML::Node. This caused a
| NULL pointer dereference that could crash the process. This
| vulnerability is fixed in 1.19.4.


CVE-2026-57435[4]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, Nokogiri’s CRuby native
| extension could leave a Ruby wrapper pointing to freed memory when
| replacing the value of an XML attribute. If Ruby code had already
| accessed an attribute child node, Nokogiri::XML::Attr#value= could
| free the underlying native child node while the wrapper remained
| reachable through the document node cache. A later use of the freed
| child node or a Ruby GC mark could dereference an invalid pointer,
| causing an invalid read and a possible segfault. This vulnerability
| is fixed in 1.19.4.


CVE-2026-57436[5]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, Nokogiri::XML::Document#root=
| validated only that the new root was a Nokogiri::XML::Node, allowing
| a DTD node to be set as the document root. The result is a heap use-
| after-free during garbage collection or finalization, leading to an
| invalid memory read or potentially a segfault. This vulnerability is
| fixed in 1.19.4.


CVE-2026-57437[6]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext
| did not keep its source document alive for garbage collection. If an
| XPathContext outlived its document and the document was collected,
| evaluating an XPath expression could read invalid memory and
| potentially segfault. This is only reachable when application code
| constructs an XPathContext directly and lets the document become
| unreachable while continuing to use the context. The normal
| Document#xpath, #css, and related search methods are not affected,
| and it is not triggerable by malicious document input. This
| vulnerability is fixed in 1.19.4.


CVE-2026-57438[7]:
| Nokogiri is an open source XML and HTML library for the Ruby
| programming language. Prior to 1.19.4, XInclude substitution
| performed by Nokogiri::XML::Node#do_xinclude replaced each
| <xi:include> in place, freeing the include node along with its
| children (such as <xi:fallback> and its descendants) and any
| namespaces declared on them. If an application had already exposed
| one of those nodes or namespaces to Ruby, the corresponding Ruby
| object was left pointing at freed memory. Using the object could
| result in invalid reads or writes to memory. This vulnerability is
| fixed in 1.19.4.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-57234
https://www.cve.org/CVERecord?id=CVE-2026-57234
[1] https://security-tracker.debian.org/tracker/CVE-2026-57235
https://www.cve.org/CVERecord?id=CVE-2026-57235
[2] https://security-tracker.debian.org/tracker/CVE-2026-57236
https://www.cve.org/CVERecord?id=CVE-2026-57236
[3] https://security-tracker.debian.org/tracker/CVE-2026-57434
https://www.cve.org/CVERecord?id=CVE-2026-57434
[4] https://security-tracker.debian.org/tracker/CVE-2026-57435
https://www.cve.org/CVERecord?id=CVE-2026-57435
[5] https://security-tracker.debian.org/tracker/CVE-2026-57436
https://www.cve.org/CVERecord?id=CVE-2026-57436
[6] https://security-tracker.debian.org/tracker/CVE-2026-57437
https://www.cve.org/CVERecord?id=CVE-2026-57437
[7] https://security-tracker.debian.org/tracker/CVE-2026-57438
https://www.cve.org/CVERecord?id=CVE-2026-57438

Regards,
Salvatore

Hello,

Bug #1140769 in ruby-nokogiri reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/ruby-team/ruby-nokogiri/-/commit/9f9d26aa7072964c29f74efb587f17f9274421b2
------------------------------------------------------------------------
* New upstream release (Closes: #1140769):
  - Fixes CVE-2026-57234, CVE-2026-57235, CVE-2026-57236, CVE-2026-57434,
    CVE-2026-57435, CVE-2026-57436, CVE-2026-57437, and CVE-2026-57438.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1140769

We believe that the bug you reported is fixed in the latest version of
ruby-nokogiri, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140769@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Quigley <tsimonq2@debian.org> (supplier of updated ruby-nokogiri package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 28 Jun 2026 19:14:47 -0500
Source: ruby-nokogiri
Architecture: source
Version: 1.19.4+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Simon Quigley <tsimonq2@debian.org>
Closes: 1140769 1141020
Changes:
 ruby-nokogiri (1.19.4+dfsg-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release (Closes: #1140769):
     - Fixes CVE-2026-57234, CVE-2026-57235, CVE-2026-57236, CVE-2026-57434,
       CVE-2026-57435, CVE-2026-57436, CVE-2026-57437, and CVE-2026-57438.
   * Add 0007-drop-encoding-test.patch to fix the FTBFS on riscv64
     (Closes: #1141020).
Checksums-Sha1:
 70459dfdbe1f3388894034fcc49dd5076b7edb2c 2449 ruby-nokogiri_1.19.4+dfsg-1.dsc
 9c59fbd9cbd8a930c90ce9649d6967991d374f67 930344 ruby-nokogiri_1.19.4+dfsg.orig.tar.xz
 dc5110438d412f5a87b7f002d5ccc30e0d985e5d 12224 ruby-nokogiri_1.19.4+dfsg-1.debian.tar.xz
 c488032f7a650faed27b50684eced627a7f7b8fc 7870 ruby-nokogiri_1.19.4+dfsg-1_source.buildinfo
Checksums-Sha256:
 7a2d3e74df32045cdd0a27b9903163967444117c63da8dd56b271c26b40da73b 2449 ruby-nokogiri_1.19.4+dfsg-1.dsc
 626f45a9dcfe486b095cf054c907d23896c19dad0033eb555f4b9634688bbd9f 930344 ruby-nokogiri_1.19.4+dfsg.orig.tar.xz
 6f3d4250374ab606e4372fcc26faef6f53d7d14cdbf85f8351cea12e3d0e8d19 12224 ruby-nokogiri_1.19.4+dfsg-1.debian.tar.xz
 93e971145e3b2a1b29265b9818cdebf7eb713bb84d30c06d5d3a26cf5b67a7be 7870 ruby-nokogiri_1.19.4+dfsg-1_source.buildinfo
Files:
 49b98ea8f57bc237efd44c2aebb5d1bd 2449 ruby optional ruby-nokogiri_1.19.4+dfsg-1.dsc
 b8abaa536f798589d3a0df78195ddbdf 930344 ruby optional ruby-nokogiri_1.19.4+dfsg.orig.tar.xz
 963f01405ecc43fc54bccc64c16e861e 12224 ruby optional ruby-nokogiri_1.19.4+dfsg-1.debian.tar.xz
 1687690fe01b2799663978f05820f5ef 7870 ruby optional ruby-nokogiri_1.19.4+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXHq+og+GMEWcyMi14n8s+EWML6QFAmpBuSUACgkQ4n8s+EWM
L6TuXA//aMhM7a7kVujeUyLkYnBev2ExcxA0VVUJQoArC62RWFBpUivEWmroZRzs
ExwNZQjo3Y5HkzYahdRG7bATZiHvCJT4bYMAlmqrl6D+DPuzZRkkK+Q1IMlHHtpz
s79MsD19TerE15AhWkJMyZbZlmHcccpHX+BH3KgjAbusqLVyvTjBoPwOh6xed8mn
uBjm3FFdn2aSZcbUa1PSvkq5GRSt5JFbDt5cqxmB8UCu9LNcXaIrbD7XqTe+9k+D
dPSsvbb71G4H2sCG2H716y2PneZ3s+j20gLv31sRvMtP1yDV2G2vbbyDdNizGlzg
Q5w+H/ryYZbHqhCMUAKl4gv++HsNegM0gF7aX5y3sahRnG/sxloRBJm83kbz4XmK
dPhAdsHNvw1akWmjeHEtdev+3Fyei8zo4KaxhOv2pkh/wTMb1/t1baTZ89hiLP+M
kktBbbuXobXPcJf8qX3pfsjR+UGyZvfsCJOC5sQv7BrwXrQQeL66/ohN9ISQNN3p
d8KsMz1LovQiikkBlM0VW3Ud5t5cS/BEzVXHE1TzY6d9zPPC+ODJdMoE3y79GV2Z
k9MI9Vgz59cJA/HnruqaRltBd8ZvjstUqlJeDwFwr3t8XAZ1uQku3DE04rrnO07F
YVGoIt8YFg5eo8EnMMXyXWJRrZLeZFnQx7jrzqGoevciM7NBhL8=
=aRZ4
-----END PGP SIGNATURE-----