dependabot-preview[bot]
commented
6 years ago We've just been alerted that this update fixes a security vulnerability:
Sourced from The Ruby Advisory Database.
Revert libxml2 behavior in Nokogiri gem that could cause XSS [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:
https://github.com/GNOME/libxml2/commit/960f0e2
and more information is available about this commit and its impact here:
... (truncated)
Patched versions: [">= 1.8.3"]
Bumps nokogiri from 1.7.2 to 1.8.4. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-9050.yml).* > **Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities** > The version of libxml2 packaged with Nokogiri contains several > vulnerabilities. Nokogiri has mitigated these issues by upgrading to > libxml 2.9.5. > > It was discovered that a type confusion error existed in libxml2. An > attacker could use this to specially construct XML data that > could cause a denial of service or possibly execute arbitrary > code. (CVE-2017-0663) > > It was discovered that libxml2 did not properly validate parsed entity > ... (truncated) > > Patched versions: >= 1.8.1 > Unaffected versions: none *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-15412.yml).* > **Nokogiri gem, via libxml, is affected by DoS vulnerabilities** > The version of libxml2 packaged with Nokogiri contains a > vulnerability. Nokogiri has mitigated these issue by upgrading to > libxml 2.9.6. > > It was discovered that libxml2 incorrecty handled certain files. An attacker > could use this issue with specially constructed XML data to cause libxml2 to > consume resources, leading to a denial of service. > > Patched versions: >= 1.8.2 > Unaffected versions: none *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-16932.yml).* > **Nokogiri gem, via libxml, is affected by DoS vulnerabilities** > The version of libxml2 packaged with Nokogiri contains a > vulnerability. Nokogiri has mitigated these issue by upgrading to > libxml 2.9.5. > > Wei Lei discovered that libxml2 incorrecty handled certain parameter > entities. An attacker could use this issue with specially constructed XML > data to cause libxml2 to consume resources, leading to a denial of service. > > Patched versions: >= 1.8.1 > Unaffected versions: noneChangelog
*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).* > # 1.8.4 / 2018-07-03 > > ## Bug fixes > > * [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in v1.5.7) [#1771] > > > # 1.8.3 / 2018-06-16 > > ## Security Notes > > [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here: > > > https://github.com/GNOME/libxml2/commit/960f0e2 > > and more information is available about this commit and its impact here: > > > https://github-redirect.dependabot.com/flavorjones/loofah/issues/144 > > This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities. > > If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here: > > > https://bugzilla.gnome.org/show_bug.cgi?id=769760 > > > ## Dependencies > > * [MRI] libxml2 is updated from 2.9.7 to 2.9.8 > > > ## Features > > * Node#classes, #add_class, #append_class, and #remove_class are added. > * NodeSet#append_class is added. > * NodeSet#remove_attribute is a new alias for NodeSet#remove_attr. > * NodeSet#each now returns an Enumerator when no block is passed (Thanks, [**park53kr**](https://github.com/park53kr)!) > * [JRuby] General improvements in JRuby implementation (Thanks, [**kares**](https://github.com/kares)!) > > > ## Bug fixes > > * CSS attribute selectors now gracefully handle queries using integers. [#711] > * Handle ASCII-8BIT encoding on fragment input [#553] > * Handle non-string return values within `Reader` [#898] > * [JRuby] Allow Node#replace to insert Comment and CDATA nodes. [#1666] > * [JRuby] Stability and speed improvements to `Node`, `Sax::PushParser`, and the JRuby implementation [#1708, [#1710](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1710), [#1501](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1501)] > > > # 1.8.2 / 2018-01-29 > ... (truncated)Commits
- [`254f341`](https://github.com/sparklemotion/nokogiri/commit/254f3414811b6d2fff8b0630efe4ce8d29778fb6) version bump to v1.8.4 - [`056f66d`](https://github.com/sparklemotion/nokogiri/commit/056f66df44fb274de3c950df586a71a9a74c05ae) enforcing formatting in xml_node.c - [`ca4f9b2`](https://github.com/sparklemotion/nokogiri/commit/ca4f9b262ba4cbf7e6c47e55a8a5d5024665fd93) Merge branch '1771-memory-leak' - [`0d26561`](https://github.com/sparklemotion/nokogiri/commit/0d26561bd7821dfe1c02b8dd0c82e8a1f510cc49) fix memory leak with creating nodes with a namespace - [`117ca2e`](https://github.com/sparklemotion/nokogiri/commit/117ca2e067dbbf054bef9078c79387c8170d2156) README format - [`20e11c3`](https://github.com/sparklemotion/nokogiri/commit/20e11c3f976395ee94982fcc893950d66490222f) version bump to 1.8.3 - [`be8a240`](https://github.com/sparklemotion/nokogiri/commit/be8a2405ba1667fbed0a841a4580d89ef1b52bda) update CHANGELOG - [`06ac6ba`](https://github.com/sparklemotion/nokogiri/commit/06ac6bac8c4beb615aafd05180742d68efcd83d4) Merge branch '1765-enumerator' - [`00bafb7`](https://github.com/sparklemotion/nokogiri/commit/00bafb76a82e03ce7f5042833d836f3742842e78) add test coverage for NodeSet#each enum - [`75517e0`](https://github.com/sparklemotion/nokogiri/commit/75517e03aab9171a03527d315f64c258f1f0ef5d) '#each' returns enumerator when no block given - Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.7.2...v1.8.4)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.