search

nulib / avalon

Variations-on-Video Hydra app
Apache License 2.0
3 stars 0 forks source link

[Security] Bump loofah from 2.2.2 to 2.2.3 #438

Closed dependabot-preview[bot] closed 5 years ago

dependabot-preview[bot] commented 5 years ago

Bumps loofah from 2.2.2 to 2.2.3. This update includes security fixes.

Vulnerabilities fixed *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2018-16468.yaml).* > **Loofah XSS Vulnerability** > In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in > sanitized output when a crafted SVG element is republished. > > Patched versions: >= 2.2.3 > Unaffected versions: none
Release notes *Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).* > ## v2.2.3 > Notably, this release addresses [CVE-2018-16468](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154).
Changelog *Sourced from [loofah's changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).* > ## 2.2.3 / 2018-10-30 > > ### Security > > Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [#154](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154) > > > ## Meta / 2018-10-27 > > The mailing list is now on Google Groups [#146](https://github-redirect.dependabot.com/flavorjones/loofah/issues/146): > > * Mail: loofah-talk@googlegroups.com > * Archive: https://groups.google.com/forum/#!forum/loofah-talk > > This change was made because librelist no longer appears to be maintained.
Commits - [`cb3dbfa`](https://github.com/flavorjones/loofah/commit/cb3dbfa604195b99b3a811e040584daec7663504) version bump to v2.2.3 and update CHANGELOG - [`71e4b54`](https://github.com/flavorjones/loofah/commit/71e4b5434fbcb2ad87643f0c9fecfc3a847943c4) remove the svg animate attribute `from` from the allowlist - [`3556e2b`](https://github.com/flavorjones/loofah/commit/3556e2b44f7401aaccbb10e2abac4e044391267a) add formatting to CHANGELOG - [`ac7c50d`](https://github.com/flavorjones/loofah/commit/ac7c50de12398c90ffba907bf132af66bcc242be) updated mailing list to a new Google Group - [`de6b0f3`](https://github.com/flavorjones/loofah/commit/de6b0f33cde92b6028c1ef973e5fc24478890fc9) extract msword html data into an asset file - See full diff in [compare view](https://github.com/flavorjones/loofah/compare/v2.2.2...v2.2.3)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it). To ignore the version in this PR you can just close it - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.
dependabot-preview[bot] commented 5 years ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.