🚨 [security] [ruby] Update nokogiri: 1.13.9 → 1.13.10 (patch)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ nokogiri (indirect, 1.13.9 → 1.13.10) · Repo · Changelog

Security Advisories 🚨

🚨 Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE - CWE-252: Unchecked Return Value (4.9)

CWE - CWE-476: NULL Pointer Dereference (4.9)

Credit

This vulnerability was responsibly reported by @davidwilemski.

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ racc (indirect, 1.6.0 → 1.6.1) · Repo · Changelog

Release Notes

1.6.1

What's Changed

CI: Add JRuby 9.3, use bundler-cache by @olleolleolle in #173

Fix names by @nobu in #178

Update README.rdoc by @jwillemsen in #179

s/RubyVM::JIT/RubyVM::MJIT/g by @k0kubun in #180

ci: update to cover Ruby 3.1 by @flavorjones in #181

Fix typo in sample/calc.y. by @simi in #184

Added dependabot.yml for actions by @hsbt in #186

Bump actions/checkout from 2 to 3 by @dependabot in #187

[DOC] Remove stale Object::ParseError documentation by @nobu in #188

Strip trailing spaces by @nobu in #189

Fix flag to Regexp.new by @nobu in #191

Fix documentation directory name in README by @okuramasafumi in #193

Make racc test more flexible (for JRuby). by @enebo in #194

Update racc.en.rhtml by @jwillemsen in #195

Update README.rdoc by @jwillemsen in #196

Update racc.gemspec by @jwillemsen in #197

ci: update jruby versions and add truffleruby by @flavorjones in #198

New Contributors

@jwillemsen made their first contribution in #179

@k0kubun made their first contribution in #180

@simi made their first contribution in #184

@dependabot made their first contribution in #187

@okuramasafumi made their first contribution in #193

Full Changelog: v1.6.0...v1.6.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase
Rebases against your default branch and redoes this update

@depfu recreate
Recreates this PR, overwriting any edits that you've made to it

@depfu merge
Merges this PR once your tests are passing and conflicts are resolved

@depfu close
Closes this PR and deletes the branch

@depfu reopen
Restores the branch and reopens this PR (if it's closed)

@depfu pause
Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

carbonfive / raygun-rails