Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump nokogiri from 1.5.6 to 1.10.8 #99

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Security] Bump nokogiri from 1.5.6 to 1.10.8 #99

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link

Bumps nokogiri from 1.5.6 to 1.10.8. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 nokogiri version 1.7.2 has been released.

This is a security update based on 1.7.1, addressing two upstream libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.

These patches only apply when using Nokogiri's vendored libxslt package. If you're using your distro's system libraries, there's no need to upgrade from 1.7.0.1 or 1.7.1 at this time.

Full details are available at the github issue linked to in the changelog below.

1.7.2 / 2017-05-09

Security Notes

[MRI] Upstream libxslt patches are applied to the vendored libxslt

... (truncated)

Patched versions: >= 1.7.2 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml 2.9.5.

It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663)

It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375)

It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376)

Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially

... (truncated)

Patched versions: >= 1.8.1 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxml, is affected by DoS vulnerabilities The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6.

It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.

Patched versions: >= 1.8.2 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS Nokogiri Gem for JRuby contains a flaw that is triggered when handling a root element in an XML document. This may allow a remote attacker to cause a consumption of memory resources.

Patched versions: >= 1.6.3 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxml, is affected by DoS vulnerabilities The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5.

Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.

Patched versions: >= 1.8.1 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri Command Injection Vulnerability A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.

Patched versions: >= 1.10.4 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.

Patched versions: >= 1.10.4 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:

CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.

CVE-2016-5131 CVSS v3 Base Score: 8.8 (HIGH) Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.

Patched versions: >= 1.7.1 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Several vulnerabilities were discovered in the libxml2 and libxslt libraries that the Nokogiri gem depends on.

CVE-2015-1819 A denial of service flaw was found in the way libxml2 parsed XML documents. This flaw could cause an application that uses libxml2 to use an excessive amount of memory.

CVE-2015-7941 libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted specially XML data.

CVE-2015-7942 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data.

CVE-2015-7995

... (truncated)

Patched versions: ~> 1.6.6.4; >= 1.6.7.rc4 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Revert libxml2 behavior in Nokogiri gem that could cause XSS [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:

GNOME/libxml2@960f0e2

and more information is available about this commit and its impact here:

flavorjones/loofah#144

This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities.

If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here:

https://bugzilla.gnome.org/show_bug.cgi?id=769760

Patched versions: >= 1.8.3 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Nokogiri v1.10.5 has been released.

This is a security release. It addresses three CVEs in upstream libxml2, for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses these vulnerabilities.

Full details about the security update are available in Github Issue [#1943] sparklemotion/nokogiri#1943.

CVE-2019-13117

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html

... (truncated)

Patched versions: >= 1.10.5 Unaffected versions: none

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects nokogiri xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched it's vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.

Affected versions: < 1.10.8

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Nokogiri 1.8.5 has been released.

This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

Full details about the security update are available in Github Issue #1785. [#1785]: sparklemotion/nokogiri#1785

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

... (truncated)

Patched versions: >= 1.8.5 Unaffected versions: none

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects nokogiri The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.

Affected versions: < 1.8.2

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxslt, is affected by improper access control vulnerability Nokogiri v1.10.3 has been released.

This is a security release. It addresses a CVE in upstream libxslt rated as "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More details are available below.

If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

Full details about the security update are available in Github Issue [#1892] sparklemotion/nokogiri#1892.

CVE-2019-11068

Permalinks are:

... (truncated)

Patched versions: >= 1.10.3 Unaffected versions: none

Release notes

Sourced from nokogiri's releases.

1.10.8 / 2020-02-10

Security

[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

1.10.7 / 2019-12-03

Bug

  • [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. #1954

1.10.6 / 2019-12-03

Bug

  • [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @nurse!)

1.10.5 / 2019-10-31

Dependencies

  • [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
  • [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is sparklemotion/nokogiri#1915

1.10.3 / 2019-04-22

Security Notes

... (truncated)
Changelog

Sourced from nokogiri's changelog.

1.10.8 / 2020-02-10

Security

[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

1.10.7 / 2019-12-03

Fixed

  • [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. [#1954]

1.10.6 / 2019-12-03

Fixed

  • [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @nurse!)

1.10.5 / 2019-10-31

Security

[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:

More details are available at #1943.

Dependencies

  • [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
  • [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915).

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

... (truncated)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
[Security] Bump nokogiri from 1.5.6 to 1.10.8
a6d3c62 
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.5.6 to 1.10.8. **This update includes security fixes.**
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.5.6...v1.10.8)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot mentioned this pull request Feb 24, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants