From f853dcb8434527bae4fadfb6ba15a5112838f88a Mon Sep 17 00:00:00 2001 From: Philip Hallstrom Date: Sun, 7 Oct 2018 09:53:02 -0700 Subject: [PATCH] Upgrade nokogiri gem to 1.8.5 to resolve CVE-2018-14404 see https://circleci.com/gh/railslink/railslink/138 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: https://github.com/sparklemotion/nokogiri/issues/1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 --- Gemfile | 2 +- Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index 1e7da21a..3672a3cd 100644 --- a/Gemfile +++ b/Gemfile @@ -31,7 +31,7 @@ gem 'slim-rails' # slim templa gem "sprockets", "~> 3.7.2" # sprockets is a rack-based asset packaging system that concatenates and serves javascript, scss, etc gem 'sucker_punch', '~> 2.0' # asynchronous processing library gem 'uglifier', '>= 1.3.0' # compressor for javascript assets -gem 'nokogiri', '~> 1.8.3' # a HTML, XML, SAX, and Reader parser +gem 'nokogiri', '~> 1.8.5' # a HTML, XML, SAX, and Reader parser group :development, :test do gem 'rspec-rails', '~> 3.7' # testing framework diff --git a/Gemfile.lock b/Gemfile.lock index a94347a7..c0a0cb0a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -101,7 +101,7 @@ GEM multi_xml (0.6.0) multipart-post (2.0.0) nio4r (2.3.0) - nokogiri (1.8.4) + nokogiri (1.8.5) mini_portile2 (~> 2.3.0) oauth2 (1.4.0) faraday (>= 0.8, < 0.13) @@ -255,7 +255,7 @@ DEPENDENCIES ffi (~> 1.9.24) listen (>= 3.0.5, < 3.2) marginalia (~> 1.6.0) - nokogiri (~> 1.8.3) + nokogiri (~> 1.8.5) oj (~> 2.16.1) omniauth (= 1.8.1) omniauth-slack (= 2.3.0)