🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.11.4, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
Mitigation
Upgrade to Nokogiri >= 1.11.4.
Impact
I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete.
All information below is sourced from security.archlinux.org, which appears to have the most up-to-date information as of this analysis.
Description: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service.
Description: A use-after-free security issue was found in libxml2 before version 2.9.11 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files.
Description: It was found that libxml2 before version 2.9.11 did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application.
Description: A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into DTDLOAD which is off by default).
For more details supporting this analysis of this CVE, please visit #2233.
Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).
[CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)
[CRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this likely segfaulted. [#1900]
[JRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this raised a TypeError exception.
[CRuby] arm64/aarch64 systems (like Apple's M1) can now compile libxml2 and libxslt from source (though we continue to strongly advise users to install the native gems for the best possible experience)
MiniPortile.execute now takes an optional :env hash, which is merged into the environment variables for the subprocess. Likely this is only useful for specialized use cases. [#99]
Experimental support for cmake-based projects extended to Windows. (Thanks, @larskanis!)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ nokogiri (indirect, 1.11.2 → 1.11.5) · Repo · Changelog
Security Advisories 🚨
🚨 Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Release Notes
1.11.4
1.11.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 56 commits:
version bump to v1.11.5Merge pull request #2243 from sparklemotion/flavorjones-v1_11_x-update-tests-to-work-with-system-libxml-2_9_12update CHANGELOGwindows: work around libxml2 xmlCleanupParsertest: adjust tests to pass on system libxml2 >= 2.9.11ci: windows config for github actionsupdate CHANGELOG with the GHSAversion bump to v1.11.4update CHANGELOG with complete CVE informationMerge pull request #2234 from sparklemotion/2233-upgrade-to-libxml-2-9-12update CHANGELOGpatch: renumber libxml2 patchestest: update behavior of namespaces in HTMLtest: remove low-value HTML::SAX::PushParser encoding testtest: adjust xpath gc test to libxml2's max recursion depthpatch: backport libxslt configure.ac change for libxml2 configpatch: fix isnan/isinf patch to apply cleanly to libxml 2.9.12patch: fix whitespace in libxml2 Makefile.in patchpatch: remove upstream libxml2 patch c1ba6f5patch: remove upstream libxml2 patches 29f5d20 and a67b63dpatch: remove upstream libxml2 patch afad372patch: remove upstream libxml2 patch 0e1a49cdep: upgrade libxml2 from 2.9.10 to 2.9.12test: establish better baseline behavior for MS Word's html formatci: add a pipeline for v1.11.xversion bump to v1.11.3Merge pull request #2215 from sparklemotion/flavorjones-valgrind-test-helperstest: consolidate jruby version info teststest: cleanuptest: introduce helpers for skips and for a valgrind blockci: make some slow tests run only under NOKOGIRI_GCMerge pull request #2214 from sparklemotion/flavorjones-allow-arm64-compilationfix: update automake files to allow arm64 to compile package libsRevert "fix: update automake files to allow arm64 to compile package libs"fix: update automake files to allow arm64 to compile package libsci: provide distinct "compact" and "verify" GC test levelsstyle: update noko_xml_node_wrap variable namesci: explicitly do a major GC when testing with compactionci: drop NOKOGIRI_TEST_GC_COMPACTION in favor of "compact" _GC_LEVELreadme: prefer the discord server over a specific channel nameci: stop notifying discordMerge pull request #2210 from sparklemotion/1900-check-type-passed-to-document-root-equalsfix: Document#root= raises an ArgumentError for a non-Node argprefactor: cleans up Document#root= tests and C codeMerge pull request #2209 from sparklemotion/flavorjones-skip-enumerator-in-valgrindci: skip NodeSet enumerator test on valgrindci: reduce valgrind suppressionsci: use suppressions from the repo under testci: run tasks in parallel within a jobMerge pull request #2203 from sparklemotion/flavorjones-node-new-block-docsdoc: improve documentation for Document#create_elementdoc: document `Node.new`'s optional block paramdoc: improve Document::NCNAME doc stringtest: label the Minitest::Reporters options when they are printeddoc: clarify language in CONTRIBUTING.mdlicense: update MIT license copyright dates↗️ mini_portile2 (indirect, 2.5.0 → 2.5.1) · Repo · Changelog
Release Notes
2.5.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 33 commits:
version bump to v2.5.1fix: #execute should always emit "OK" on successMerge pull request #100 from flavorjones/flavorjones-execute-takes-env-optionfeat: #execute now accepts an optional :env hashremove remaining traces of concoursedoc: update README with Actions status badgeMerge pull request #98 from flavorjones/flavorjones-migrate-to-github-actionsci: remove appveyor and concourse configsci: set makeflags to parallelize buildsci: skip sqlite and ares examples on windowsci: update sqlite version in examples testci: separate out test:examples from test:unitci: config git so that newlines don't break gpg sigsci: add windows coverage to GA CItest: omit options with spaces from the cmake testdep: add webrick as a dev dep for Ruby 3.0ci: linux CI on GAupdate default branch from master to mainMerge pull request #95 from amatsuda/httpsGitHub is HTTPS by defaultMerge pull request #94 from larskanis/appveyorupdate CHANGELOGci: rename pipelines to avoid concourse warningsci: rename pipelines to avoid concourse warningsFix cmake usage and related tests on WindowsUpdate Appveyor-CI to newer rubiesAdjust version dependenciesci: upgrade to teliaoss/github-pr-resourceci: remove .travis.ymlREADME: update badges: travis→concourse, tideliftREADME: add Support section with CTA for TideliftCreate FUNDING.ymlpublishing a security reporting processDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands