mysociety / verification-pages

Tool to generate and push verification pages to Wikidata
https://www.wikidata.org/wiki/Template:Verification_page
2 stars 1 forks source link

[Security] Bump nokogiri from 1.10.1 to 1.10.3 #657

Closed dependabot-preview[bot] closed 5 years ago

dependabot-preview[bot] commented 5 years ago

Bumps nokogiri from 1.10.1 to 1.10.3. This update includes security fixes.

Vulnerabilities fixed *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-11068.yml).* > **Nokogiri gem, via libxslt, is affected by improper access control vulnerability** > Nokogiri v1.10.3 has been released. > > This is a security release. It addresses a CVE in upstream libxslt rated as > "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More > details are available below. > > If you're using your distro's system libraries, rather than Nokogiri's > vendored libraries, there's no security need to upgrade at this time, though > you may want to check with your distro whether they've patched this > (Canonical has patched Ubuntu packages). Note that this patch is not yet (as > of 2019-04-22) in an upstream release of libxslt. > > Full details about the security update are available in Github Issue > [#1892] https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1892. > > --- > > CVE-2019-11068 > > Permalinks are: > ... (truncated) > > Patched versions: >= 1.10.3 > Unaffected versions: none
Release notes *Sourced from [nokogiri's releases](https://github.com/sparklemotion/nokogiri/releases).* > ## 1.10.3 / 2019-04-22 > > ### Security Notes > > [MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in [#1892](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1892). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt. > > ## 1.10.2 / 2019-03-24 > > ### Security > > * [MRI] Remove support from vendored libxml2 for future script macros. [#1871] > * [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877] > > > ### Bug fixes > > * [JRuby] Fix node ownership in duplicated documents. [#1060] > * [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, [#1872](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1872)] (Thanks, [@​adjam](https://github.com/adjam)!) > >
Changelog *Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).* > ## 1.10.3 / 2019-04-22 > > ### Security Notes > > [MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in [#1892](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1892). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt. > > > ## 1.10.2 / 2019-03-24 > > ### Security > > * [MRI] Remove support from vendored libxml2 for future script macros. [#1871] > * [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877] > > > ### Bug fixes > > * [JRuby] Fix node ownership in duplicated documents. [#1060] > * [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, [#1872](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1872)] (Thanks, [@​adjam](https://github.com/adjam)!)
Commits - [`8e24af5`](https://github.com/sparklemotion/nokogiri/commit/8e24af59af22c0bf61376d8c9ae6a85e5b2ba3bd) version bump to v1.10.3 - [`d31f742`](https://github.com/sparklemotion/nokogiri/commit/d31f74291b9c8484d32b66b3b174ca84bdff58ec) Merge pull request [#1898](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1898) from sparklemotion/1892-libxslt-patch-for-usn-3947 - [`fe034ae`](https://github.com/sparklemotion/nokogiri/commit/fe034aedcc59b566740567d621843731686676b9) Backport libxslt patch for CVE-2019-11068 - [`6dfce6b`](https://github.com/sparklemotion/nokogiri/commit/6dfce6ba2befad06cd8a8b2d173fbcb15e412058) Merge branch 'concourse-icons' - [`349edaf`](https://github.com/sparklemotion/nokogiri/commit/349edaf3bfc667bdfc4ddc210daae97522bea9ef) ci: add icons to concourse resources - [`93d1a80`](https://github.com/sparklemotion/nokogiri/commit/93d1a80a154f33a925f2b7d3a127add194cc763c) version bump to v1.10.2 - [`00d4023`](https://github.com/sparklemotion/nokogiri/commit/00d4023c6451023c5abae1e28ef5e9f288892638) ci: ensure gem-test will work for java - [`9224158`](https://github.com/sparklemotion/nokogiri/commit/92241586357e11518a2cde9e045da92b78c73792) refining valgrind suppressions for ruby 2.6 - [`2340bd7`](https://github.com/sparklemotion/nokogiri/commit/2340bd77fe2f45e1acd3d4dae4a58416d34af41d) Merge pull request [#1880](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1880) from larskanis/adjust-test-class-name - [`528f076`](https://github.com/sparklemotion/nokogiri/commit/528f076f4fc8aeaeb651bdd43feed358d8333b5a) update README with Appveyor badge - Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.10.1...v1.10.3)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.
dependabot-preview[bot] commented 5 years ago

Superseded by #692.