From ef207e29c6109f3c0d0fe0ac63b3983ca1bc8459 Mon Sep 17 00:00:00 2001 From: Philip Hallstrom Date: Mon, 22 Apr 2019 17:08:48 -0700 Subject: [PATCH] update nokogiri gem due to CVE-2019-11068 Name: nokogiri Version: 1.8.5 Advisory: CVE-2019-11068 Criticality: Unknown URL: https://github.com/sparklemotion/nokogiri/issues/1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 --- Gemfile | 2 +- Gemfile.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Gemfile b/Gemfile index 594f552c..19d9e732 100644 --- a/Gemfile +++ b/Gemfile @@ -33,7 +33,7 @@ gem 'slim-rails' # slim templa gem "sprockets", "~> 3.7.2" # sprockets is a rack-based asset packaging system that concatenates and serves javascript, scss, etc gem 'sucker_punch', '~> 2.0' # asynchronous processing library gem 'uglifier', '>= 1.3.0' # compressor for javascript assets -gem 'nokogiri', '~> 1.8.5' # a HTML, XML, SAX, and Reader parser +gem 'nokogiri', '~> 1.10.3' # a HTML, XML, SAX, and Reader parser group :development, :test do gem 'rspec-rails', '~> 3.7' # testing framework diff --git a/Gemfile.lock b/Gemfile.lock index ff2f17b5..c4c953e5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -99,7 +99,7 @@ GEM activerecord (>= 2.3) method_source (0.9.2) mini_mime (1.0.1) - mini_portile2 (2.3.0) + mini_portile2 (2.4.0) minitest (5.11.3) money (6.11.0) i18n (>= 0.6.4, < 1.1) @@ -107,8 +107,8 @@ GEM multi_xml (0.6.0) multipart-post (2.0.0) nio4r (2.3.1) - nokogiri (1.8.5) - mini_portile2 (~> 2.3.0) + nokogiri (1.10.3) + mini_portile2 (~> 2.4.0) oauth2 (1.4.0) faraday (>= 0.8, < 0.13) jwt (~> 1.0) @@ -276,7 +276,7 @@ DEPENDENCIES kramdown (~> 2.1.0) listen (>= 3.0.5, < 3.2) marginalia (~> 1.6.0) - nokogiri (~> 1.8.5) + nokogiri (~> 1.10.3) oj (~> 2.16.1) omniauth (= 1.8.1) omniauth-slack (= 2.3.0)