🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
the packaged libraries are being used. If you've overridden defaults at installation time to use
system libraries instead of packaged libraries, you should instead pay attention to your distro's
libxml2 release announcements.
JRuby users are not affected.
Severity
The Nokogiri maintainers have evaluated this as Moderate.
Impact
From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):
When using the XML Reader interface with DTD validation and XInclude expansion enabled,
processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Mitigation
Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
the packaged libraries are being used. If you've overridden defaults at installation time to use
system libraries instead of packaged libraries, you should instead pay attention to your distro's
libxml2 release announcements.
JRuby users are not affected.
Severity
The Nokogiri maintainers have evaluated this as Moderate.
Impact
From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):
When using the XML Reader interface with DTD validation and XInclude expansion enabled,
processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Mitigation
Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
JRuby users are not affected.
Mitigation
Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.
Impact
From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):
When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Timeline
2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
JRuby users are not affected.
Mitigation
Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.
Impact
From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):
When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Timeline
2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information
[CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.
[CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.
[CRuby] XML::Reader defaults the encoding to UTF-8 if it's not specified in either the document or as a method parameter. Previously non-ASCII characters were serialized as NCRs in this case. [#2891] (@flavorjones)
[CRuby] Restored support for compilation by GCC versions earlier than 4.6, which was broken in v1.15.0 (540e9ae). [#3090] (@adfoster-r7)
[CRuby] Patched upstream libxml2 to allow parsing HTML5 in the context of a namespaced node (e.g., foreign content like MathML). [#3112, #3116] (@flavorjones)
[CRuby] Fixed a small memory leak in libgumbo (HTML5 parser) when the maximum tree depth limit is hit. [#3098, #3100] (@stevecheckoway)
This version marks official support for the pattern matching API in XML::Attr, XML::Document, XML::DocumentFragment, XML::Namespace, XML::Node, and XML::NodeSet (and their subclasses), originally introduced as an experimental feature in v1.14.0. (@flavorjones)
CSS nth pseudo-classes now handle spaces, e.g. "2n + 1". [#3018] (@fusion2004)
[CRuby] libgumbo no longer leaks memory when an incomplete tag is abandoned by the HTML5 parser. [#3036] (@flavorjones)
Removed
Removed Nokogiri::HTML5.get which was deprecated in v1.12.0. [#2278] (@flavorjones)
Removed the CSS-to-XPath utility modules XPathVisitorAlwaysUseBuiltins and XPathVisitorOptimallyUseBuiltins, which were deprecated in v1.13.0 in favor of XPathVisitor constructor args. [#2403] (@flavorjones)
Removed XML::Reader#attribute_nodes which was deprecated in v1.13.8 in favor of #attribute_hash. [#2598, #2599] (@flavorjones)
[CRuby] Removed the libxml/libxml2_path key from VersionInfo, used in the past for third-party library integration, in favor of the nokogiri/cppflags and nokogiri/ldflags keys. Please note that third-party library integration is not fully supported and may be deprecated soon, see #2746 for more context. [#2143] (@flavorjones)
Thank you!
The following people and organizations were kind enough to sponsor @flavorjones or the Nokogiri project during the development of v1.16.0:
This security release is a backport to the unsupported v1.15.x branch. Current stable is v1.16.x, which addressed the referenced CVE in v1.16.2 on 2024-02-04.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ nokogiri (indirect, 1.15.4 → 1.16.5) · Repo · Changelog
Security Advisories 🚨
🚨 Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
🚨 Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
🚨 Use-after-free in libxml2 via Nokogiri::XML::Reader
🚨 Use-after-free in libxml2 via Nokogiri::XML::Reader
🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
Release Notes
1.16.5
1.16.4
1.16.3
1.16.2
1.16.1
1.16.0
1.15.6
1.15.5
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ racc (indirect, 1.7.1 → 1.7.3) · Repo · Changelog
Release Notes
1.7.3
1.7.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 67 commits:
Merge pull request #254 from yui-knk/v1.7.3Bump up v1.7.3Merge pull request #253 from yui-knk/add_dependency'lib/racc/parser-text.rb' depends on 'lib/racc/info.rb'Merge pull request #252 from yui-knk/fix_doc_expect_paramFix locations of `expect` param in docsMerge pull request #251 from yui-knk/v1.7.3.pre.1Bump up v1.7.3.pre.1Merge pull request #250 from yui-knk/test_rake_compile_buildCheck `rake build` on CIMerge pull request #249 from yui-knk/always_run_ciMerge pull request #248 from nobu/srcsMake CI runnable for any pushAdd `srcs` target to prepare to buildMake reproducibleMerge pull request #247 from nobu/bumpUpdate test-unit-ruby-core for ruby 2.5Prepare 1.7.3Add recipe to update RACC_VERSION in Cparse.javaMerge pull request #246 from nobu/jruby-extdirFix jar file pathMerge pull request #245 from nobu/ruby-testFix for dummy rake/extensiontask.rb at ruby test-bundled-gemsMerge pull request #244 from nobu/cruby-extExclude CRuby extension from JRuby gemMerge pull request #239 from yui-knk/v1.7.2Merge pull request #243 from nobu/protoizeUse prototype declarationsBump up v1.7.2Merge pull request #241 from nobu/info_versionMerge pull request #242 from nobu/manifest[DOC] Update release flowRemove MANIFEST which was used by ancient extmk.rbExtract Racc::VERSION from racc/info.rb at extconf.rbMerge pull request #240 from nobu/old-checksRemove fallback codeRemove old checksRename CI file since it is not only Ubuntu now [ci skip]Merge pull request #238 from makenowjust/typosFix tiny typosMerge pull request #237 from yui-knk/remove_install_guide_via_setup_rbRemove install guide by setup.rbMerge pull request #236 from nobu/bump-upStart 1.7.2Update `Gem::Specification#files`Merge pull request #235 from yui-knk/readme_release-flowAdd "Release flow" to README.rdocMerge pull request #234 from yui-knk/fix_typoFix a typoMerge pull request #232 from ruby/dependabot/github_actions/actions/checkout-4Bump actions/checkout from 3 to 4Merge pull request #231 from yui-knk/embed_grammar_file_name_into_generated_fileEmbed grammar file name into generated fileMerge pull request #230 from nobu/embedded-pragmasRemove frozen_string_literal pragmas from embedded runtime filesStop littering platform-independent directory with platform-dependent bianriesMerge pull request #229 from ruby/flavorjones-pin-dev-dependenciesdep: pin development dependencies, and enable dependabot for gemsMerge pull request #228 from ruby/flavorjones-work-around-rake-compiler-ruby-2.5Update development dependency to avoid ruby 2.5 failuresMerge pull request #225 from zenspider/zenspider/frozen_string_literalsMerge pull request #226 from zenspider/zenspider/newlineRemove NEWS files since they've not been updated in quite some timeAdd --frozen to add frozen_string_literals to top of generated files.Remove leading newline from on_error exception messages.Merge pull request #224 from jwillemsen/patch-4Update parser.rb, fixed typoDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands