roschaefer / rundfunk-mitbestimmen

How should your broadcasting fees be spent? Publish your support and improve the program.
https://rundfunk-mitbestimmen.de/
MIT License
39 stars 30 forks source link

[Security] Bump nokogiri from 1.10.1 to 1.11.0 in /backend #1448

Closed dependabot-preview[bot] closed 3 years ago

dependabot-preview[bot] commented 3 years ago

Bumps nokogiri from 1.10.1 to 1.11.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Nokogiri Command Injection Vulnerability A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.

Patched versions: >= 1.10.4 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.

Patched versions: >= 1.10.4 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Nokogiri v1.10.5 has been released.

This is a security release. It addresses three CVEs in upstream libxml2, for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses these vulnerabilities.

Full details about the security update are available in Github Issue [#1943] sparklemotion/nokogiri#1943.


CVE-2019-13117

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html

Patched versions: >= 1.10.5 Unaffected versions: none

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects nokogiri xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched it's vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.

Affected versions: < 1.10.8

Sourced from The Ruby Advisory Database.

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8

CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.

Patched versions: >= 1.10.8 Unaffected versions: none

Sourced from The GitHub Security Advisory Database.

XXE in Nokogiri

Severity

Nokogiri maintainers have evaluated this as Low Severity (CVSS3 2.6).

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".

Affected Versions

Nokogiri &lt;= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

Affected versions: <= 1.10.10

Sourced from The Ruby Advisory Database.

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".

Affected Versions

Nokogiri &lt;= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

Patched versions: >= 1.11.0.rc4 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxslt, is affected by improper access control vulnerability Nokogiri v1.10.3 has been released.

This is a security release. It addresses a CVE in upstream libxslt rated as "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More details are available below.

If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

Full details about the security update are available in Github Issue [#1892] sparklemotion/nokogiri#1892.


CVE-2019-11068

Permalinks are:

Patched versions: >= 1.10.3 Unaffected versions: none

Release notes

Sourced from nokogiri's releases.

v1.11.0 / 2021-01-03

Notes

Faster, more reliable installation: Native Gems for Linux and OSX/Darwin

"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in much faster installation and more reliable installation, which as you probably know are the biggest headaches for Nokogiri users.

We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:

  • Linux: x86-linux and x86_64-linux -- including musl platforms like alpine
  • OSX/Darwin: x86_64-darwin and arm64-darwin

We'd appreciate your thoughts and feedback on this work at #2075.

Dependencies

Ruby

This release introduces support for Ruby 2.7 and 3.0 in the precompiled native gems.

This release ends support for:

Gems

  • Explicitly add racc as a runtime dependency. [#1988] (Thanks, @voxik!)
  • [MRI] Upgrade mini_portile2 dependency from ~> 2.4.0 to ~> 2.5.0 [#2005] (Thanks, @alejandroperea!)

Security

See note below about CVE-2020-26247 in the "Changed" subsection entitled "XML::Schema parsing treats input as untrusted by default".

Added

  • Add Node methods for manipulating "keyword attributes" (for example, class and rel): #kwattr_values, #kwattr_add, #kwattr_append, and #kwattr_remove. [#2000]
  • Add support for CSS queries a:has(> b), a:has(~ b), and a:has(+ b). [#688] (Thanks, @jonathanhefner!)
  • Add Node#value? to better match expected semantics of a Hash-like object. [#1838, #1840] (Thanks, @MatzFan!)
  • [CRuby] Add Nokogiri::XML::Node#line= for use by downstream libs like nokogumbo. [#1918] (Thanks, @stevecheckoway!)
  • nokogiri.gemspec is back after a 10-year hiatus. We still prefer you use the official releases, but master is pretty stable these days, and YOLO.

Performance

Changelog

Sourced from nokogiri's changelog.

v1.11.0 / 2021-01-03

Notes

Faster, more reliable installation: Native Gems for Linux and OSX/Darwin

"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in much faster installation and more reliable installation, which as you probably know are the biggest headaches for Nokogiri users.

We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:

  • Linux: x86-linux and x86_64-linux -- including musl platforms like alpine
  • OSX/Darwin: x86_64-darwin and arm64-darwin

We'd appreciate your thoughts and feedback on this work at #2075.

Dependencies

Ruby

This release introduces support for Ruby 2.7 and 3.0 in the precompiled native gems.

This release ends support for:

Gems

  • Explicitly add racc as a runtime dependency. [#1988] (Thanks, @voxik!)
  • [MRI] Upgrade mini_portile2 dependency from ~> 2.4.0 to ~> 2.5.0 [#2005] (Thanks, @alejandroperea!)

Security

See note below about CVE-2020-26247 in the "Changed" subsection entitled "XML::Schema parsing treats input as untrusted by default".

Added

  • Add Node methods for manipulating "keyword attributes" (for example, class and rel): #kwattr_values, #kwattr_add, #kwattr_append, and #kwattr_remove. [#2000]
  • Add support for CSS queries a:has(> b), a:has(~ b), and a:has(+ b). [#688] (Thanks, @jonathanhefner!)
  • Add Node#value? to better match expected semantics of a Hash-like object. [#1838, #1840] (Thanks, @MatzFan!)
  • [CRuby] Add Nokogiri::XML::Node#line= for use by downstream libs like nokogumbo. [#1918] (Thanks, @stevecheckoway!)
  • nokogiri.gemspec is back after a 10-year hiatus. We still prefer you use the official releases, but master is pretty stable these days, and YOLO.

Performance

Commits
  • 1c1fba5 version bump to v1.11.0
  • c6b17a6 doc: remove versioning policy from CHANGELOG since it's in README
  • ff14f06 Create dependabot.yml
  • 638ab65 doc: tweak logo and "Description" section in README
  • 340686b ci: move truffleruby jobs to a separate pipeline
  • f6d2742 ci: update nokogiri master-branch git resource with webhook
  • 4b55ecb Merge pull request #2162 from parndt/use-ruby-setup-ruby
  • e6c0772 Use ruby/setup-ruby action which bundles
  • 940823f ci: update macos builds to install latest bundler
  • 0e6ce7c gem: fix packaging of native gems without java files
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
dependabot-preview[bot] commented 3 years ago

Superseded by #1449.