🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
the packaged libraries are being used. If you've overridden defaults at installation time to use
system libraries instead of packaged libraries, you should instead pay attention to your distro's
libxml2 release announcements.
JRuby users are not affected.
Severity
The Nokogiri maintainers have evaluated this as Moderate.
Impact
From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):
When using the XML Reader interface with DTD validation and XInclude expansion enabled,
processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Mitigation
Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
the packaged libraries are being used. If you've overridden defaults at installation time to use
system libraries instead of packaged libraries, you should instead pay attention to your distro's
libxml2 release announcements.
JRuby users are not affected.
Severity
The Nokogiri maintainers have evaluated this as Moderate.
Impact
From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):
When using the XML Reader interface with DTD validation and XInclude expansion enabled,
processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Mitigation
Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
JRuby users are not affected.
Mitigation
Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.
Impact
From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):
When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Timeline
2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
JRuby users are not affected.
Mitigation
Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.
Impact
From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):
When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Timeline
2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information
Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.
libxml2 v2.10.4 addresses the following known vulnerabilities:
CVE-2023-29469: Hashing of empty dict strings isn't deterministic
CVE-2023-28484: Fix null deref in xmlSchemaFixupComplexType
Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
Mitigation
Upgrade to Nokogiri >= 1.14.3.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these same issues.
Impact
No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.
Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.
For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.
Mitigation
Upgrade to Nokogiri >= 1.13.10.
Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.9, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
Mitigation
Upgrade to Nokogiri >= 1.13.9.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.3 which will also address these same issues.
Description: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
Nokogiri maintainers investigated at #2620 and determined this CVE does not affect Nokogiri users.
Description: When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees.
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory.
Severity
The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).
Mitigation
CRuby users should upgrade to Nokogiri >= 1.13.6.
JRuby users are not affected.
Workarounds
To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling #to_s or equivalent.
Credit
This vulnerability was responsibly reported by @agustingianni and the Github Security Lab.
Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to v2.9.14.
libxml2 v2.9.14 addresses CVE-2022-29824. This version also includes several security-related bug fixes for which CVEs were not created, including a potential double-free, potential memory leaks, and integer-overflow.
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.5, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.
Mitigation
Upgrade to Nokogiri >= 1.13.5.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.9.14 which will also address these same issues.
Description: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
All versions of libml2 prior to v2.9.14 are affected.
Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's zlib release announcements.
Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.
Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to 1.9.22.noko2 which addresses CVE-2022-24839. That CVE is rated 7.5 (High Severity).
Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.
Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to 2.12.2, which addresses CVE-2022-23437. That CVE is scored as CVSS 6.5 "Medium" on the NVD record.
Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.
Type: CWE-91 XML Injection (aka Blind XPath Injection)
Description: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
libxml2: CVE-2022-23308 (Unspecified severity, see more information below)
Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.
Mitigation
Upgrade to Nokogiri >= 1.13.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.
As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score.
The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options DTDVALID set to true, and NOENT set to false.
An analysis of these parse options:
While NOENT is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later.
DTDVALID is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.
It seems reasonable to assume that any application explicitly setting the parse option DTDVALID when parsing untrusted documents is vulnerable and should be upgraded immediately.
New methods #lib_path and #include_path which point at the installed directories under ports. (by @flavorjones)
Add config param for CMAKE_BUILD_TYPE, which now defaults to Release. (#136 by @Watson1978)
Experimental
Introduce experimental support for MiniPortile#mkmf_config which sets up MakeMakefile variables to properly link against the recipe. This should make it easier for C extensions to package third-party libraries. (by @flavorjones)
With no arguments, will set up just $INCFLAGS, $libs, and $LIBPATH.
Optionally, if provided a pkg-config file, will use that config to more precisely set $INCFLAGS, $libs, $LIBPATH, and $CFLAGS/$CXXFLAGS.
Optionally, if provided the name of a static archive, will rewrite linker flags to ensure correct linkage.
Note that the behavior may change slightly before official support is announced. Please comment on #118 if you have feedback.
cmake: set CMAKE compile flags to configure cross-compilation similarly to autotools--host flag: SYSTEM_NAME, SYSTEM_PROCESSOR, C_COMPILER, and CXX_COMPILER. [#130] (Thanks, @stanhu!)
Support xz-compressed archives (recognized by an .xz file extension).
When downloading a source archive, default open_timeout and read_timeout to 10 seconds, but allow configuration via open_timeout and read_timeout config parameters.
A test artifact that has been included in the gem was being flagged by some users' security scanners because it wasn't a real tarball. That artifact has been updated to be a real tarball. [#108]
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ nokogiri (1.12.5 → 1.16.5) · Repo · Changelog
Security Advisories 🚨
🚨 Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
🚨 Use-after-free in libxml2 via Nokogiri::XML::Reader
🚨 Use-after-free in libxml2 via Nokogiri::XML::Reader
🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
🚨 Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs
🚨 Unchecked return value from xmlTextReaderExpand
🚨 Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
🚨 Nokogiri has vulnerable dependencies on libxml2 and libxslt
🚨 Nokogiri Improperly Handles Unexpected Data Type
🚨 Integer Overflow or Wraparound in libxml2 affects Nokogiri
🚨 Out-of-bounds Write in zlib affects Nokogiri
🚨 Nokogiri Inefficient Regular Expression Complexity
🚨 Denial of Service (DoS) in Nokogiri on JRuby
🚨 XML Injection in Xerces Java affects Nokogiri
🚨 Nokogiri affected by zlib's Out-of-bounds Write vulnerability
🚨 Vulnerable dependencies in Nokogiri
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ mini_portile2 (indirect, 2.6.1 → 2.8.6) · Repo · Changelog
Release Notes
2.8.6
2.8.5
2.8.4
2.8.3
2.8.2
2.8.1
2.8.0
2.7.1
2.7.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 74 commits:
version bump to v2.8.6Merge pull request #139 from mudge/freebsd-cmakeExplicitly use GNU make for FreeBSD buildPrefer cc and c++ when using CMake on FreeBSDci: add freebsd coverageci: update github actionsversion bump to 2.8.5doc: update README with cmake_build_type documentationMerge pull request #137 from flavorjones/flavorjones-update-gemspecdev: gemspec has better desc and uses require_relativeMerge pull request #136 from Watson1978/release-buildAdd config param for CMAKE_BUILD_TYPECreate release binary with cmake explicitlyMerge pull request #135 from amatsuda/warningwarning: method redefined; discarding old source_directory=version bump to v2.8.5.rc2Merge pull request #134 from flavorjones/flavorjones-improve-mkmf-config-20230917introduce the "static" parameter to mkmf_configextract `lib_path` and `include_path` methodsversion bump to v2.8.5.rc1Merge pull request #133 from flavorjones/flavorjones-more-precise-pkg-configfeat: more precise implementation of mkmf_config for pkg-configversion bump to v2.9.0.rc1Merge pull request #131 from flavorjones/118-fedora-pkgconffeat: introduce MiniPortile.mkmf_configtest: add an example that uses MakeMakefile.pkg_configci: add a fedora job to the test suitetest: backfill coverage for MiniPortile#activateMerge pull request #132 from flavorjones/flavorjones-uninitialized-ivar-warningsfix: avoid uninitialized ivar warningsversion bump to v2.8.4Merge pull request #130 from stanhu/sh-cmake-cross-compile-varsversion bump to v2.8.3Remap x64 processor type to x86_64[cmake] Automatically add required cross-compilation variablesMerge pull request #129 from stanhu/sh-cmake-msysUpdate CHANGELOG.mdAdd CHANGELOG.md for CMake fixcmake: only use MSYS/NMake generators when availableversion bump to v2.8.2Merge pull request #126 from flavorjones/flavorjones-better-config-failure-logconvert source_directory into a posix pathomit misleading version number when using source_directoryfeat: output complete logs on error, including "config.log"Merge pull request #125 from petergoldstein/feature/add_ruby_3_2_to_ciAdds Ruby 3.2 to CI. Updates checkout action version.Merge pull request #124 from flavorjones/flavorjones-update-github-actions-v3ci: update github actions to avoid node version warningsversion bump to v2.8.1Merge pull request #122 from flavorjones/119-improve-patchingfix: handle patching in dirs that resemble an actual git dirMerge pull request #121 from flavorjones/flavorjones-exercise-patching-in-examplestest: `rake test:examples` now exercises patchingMerge pull request #117 from flavorjones/flavorjones-loosen-bundler-dependencydep(dev): loosen bundler dependencyversion bump to 2.8.0Merge pull request #114 from flavorjones/flavorjones-support-xz-filesci: skip examples that won't build on arm64-darwinfeat: support xz-compressed archivesMerge pull request #115 from flavorjones/flavorjones-add-darwin-to-ci-matrixfeat: {open,read}_timeout defaults to 10, can be overriddenci: add darwin coverage to the ci matrixdev(dep): update development dependenciesMerge pull request #113 from flavorjones/flavorjones-update-ci-to-ruby31ci: update to cover Ruby 3.1meta: Github Sponsors linkversion bump to v2.7.1update CHANGELOG for releaseMerge pull request #109 from flavorjones/108-make-it-a-real-tarball-plzfix: ensure test artifact is a real tarballversion bump to v2.7.0Merge pull request #107 from cosmo0920/support-replace-cmake-command-via-initializeallow configuration of some commandsci: do not fail fast, cancel in progressDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands