Betterment / test_track

Server app for the TestTrack multi-platform split-testing and feature-gating system
MIT License
119 stars 33 forks source link

[Security] Bump nokogiri from 1.8.2 to 1.8.4 #88

Closed greysteil closed 6 years ago

greysteil commented 6 years ago

Bumps nokogiri from 1.8.2 to 1.8.4. This update includes security fixes.

Vulnerabilities fixed *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml).* > **Revert libxml2 behavior in Nokogiri gem that could cause XSS** > [MRI] Behavior in libxml2 has been reverted which caused > CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and > CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is > here: > > https://github.com/GNOME/libxml2/commit/960f0e2 > > and more information is available about this commit and its impact > here: > > https://github-redirect.dependabot.com/flavorjones/loofah/issues/144 > > This release simply reverts the libxml2 commit in question to protect > users of Nokogiri's vendored libraries from similar vulnerabilities. > > If you're offended by what happened here, I'd kindly ask that you > comment on the upstream bug report here: > > https://bugzilla.gnome.org/show_bug.cgi?id=769760 > > Patched versions: >= 1.8.3 > Unaffected versions: none
Changelog *Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).* > # 1.8.4 / 2018-07-03 > > ## Bug fixes > > * [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in v1.5.7) [#1771] > > > # 1.8.3 / 2018-06-16 > > ## Security Notes > > [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here: > > > https://github.com/GNOME/libxml2/commit/960f0e2 > > and more information is available about this commit and its impact here: > > > https://github-redirect.dependabot.com/flavorjones/loofah/issues/144 > > This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities. > > If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here: > > > https://bugzilla.gnome.org/show_bug.cgi?id=769760 > > > ## Dependencies > > * [MRI] libxml2 is updated from 2.9.7 to 2.9.8 > > > ## Features > > * Node#classes, #add_class, #append_class, and #remove_class are added. > * NodeSet#append_class is added. > * NodeSet#remove_attribute is a new alias for NodeSet#remove_attr. > * NodeSet#each now returns an Enumerator when no block is passed (Thanks, [**park53kr**](https://github.com/park53kr)!) > * [JRuby] General improvements in JRuby implementation (Thanks, [**kares**](https://github.com/kares)!) > > > ## Bug fixes > > * CSS attribute selectors now gracefully handle queries using integers. [#711] > * Handle ASCII-8BIT encoding on fragment input [#553] > * Handle non-string return values within `Reader` [#898] > * [JRuby] Allow Node#replace to insert Comment and CDATA nodes. [#1666] > * [JRuby] Stability and speed improvements to `Node`, `Sax::PushParser`, and the JRuby implementation [#1708, [#1710](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1710), #1501]
Commits - [`254f341`](https://github.com/sparklemotion/nokogiri/commit/254f3414811b6d2fff8b0630efe4ce8d29778fb6) version bump to v1.8.4 - [`056f66d`](https://github.com/sparklemotion/nokogiri/commit/056f66df44fb274de3c950df586a71a9a74c05ae) enforcing formatting in xml_node.c - [`ca4f9b2`](https://github.com/sparklemotion/nokogiri/commit/ca4f9b262ba4cbf7e6c47e55a8a5d5024665fd93) Merge branch '1771-memory-leak' - [`0d26561`](https://github.com/sparklemotion/nokogiri/commit/0d26561bd7821dfe1c02b8dd0c82e8a1f510cc49) fix memory leak with creating nodes with a namespace - [`117ca2e`](https://github.com/sparklemotion/nokogiri/commit/117ca2e067dbbf054bef9078c79387c8170d2156) README format - [`20e11c3`](https://github.com/sparklemotion/nokogiri/commit/20e11c3f976395ee94982fcc893950d66490222f) version bump to 1.8.3 - [`be8a240`](https://github.com/sparklemotion/nokogiri/commit/be8a2405ba1667fbed0a841a4580d89ef1b52bda) update CHANGELOG - [`06ac6ba`](https://github.com/sparklemotion/nokogiri/commit/06ac6bac8c4beb615aafd05180742d68efcd83d4) Merge branch '1765-enumerator' - [`00bafb7`](https://github.com/sparklemotion/nokogiri/commit/00bafb76a82e03ce7f5042833d836f3742842e78) add test coverage for NodeSet#each enum - [`75517e0`](https://github.com/sparklemotion/nokogiri/commit/75517e03aab9171a03527d315f64c258f1f0ef5d) '#each' returns enumerator when no block given - Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.8.2...v1.8.4)


Dependabot compatibility score

(This is an example of the kind of PRs Dependabot creates, so you can see it in action alongside #84. It won't automatically rebase or any of the clever stuff Dependabot normally does because I've manually copied it across, though.)

nanda-prbot commented 6 years ago

@greysteil needs to request domain and platform reviewers.

jmileham commented 6 years ago

/domain @jmileham /platform @jmileham

<< domain lgtm platform lgtm

Thanks!

nanda-prbot commented 6 years ago

Approved! :ghost: :star2: :dizzy:

greysteil commented 6 years ago

Ooh, since I created this 1.8.5 is out, which fixes a vulnerability in 1.8.4 :trollface:. Fancy giving Dependabot a try on this repo and it'll generate the PR for you? Alternatively I can do it manually.