🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.11.4, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
Mitigation
Upgrade to Nokogiri >= 1.11.4.
Impact
I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete.
All information below is sourced from security.archlinux.org, which appears to have the most up-to-date information as of this analysis.
Description: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service.
Description: A use-after-free security issue was found in libxml2 before version 2.9.11 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files.
Description: It was found that libxml2 before version 2.9.11 did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application.
Description: A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into DTDLOAD which is off by default).
For more details supporting this analysis of this CVE, please visit #2233.
Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).
[CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)
[CRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this likely segfaulted. [#1900]
[JRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this raised a TypeError exception.
[CRuby] arm64/aarch64 systems (like Apple's M1) can now compile libxml2 and libxslt from source (though we continue to strongly advise users to install the native gems for the best possible experience)
MiniPortile.execute now takes an optional :env hash, which is merged into the environment variables for the subprocess. Likely this is only useful for specialized use cases. [#99]
Experimental support for cmake-based projects extended to Windows. (Thanks, @larskanis!)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ nokogiri (indirect, 1.11.2 → 1.11.5) · Repo · Changelog
Security Advisories 🚨
🚨 Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Release Notes
1.11.4
1.11.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 56 commits:
version bump to v1.11.5
Merge pull request #2243 from sparklemotion/flavorjones-v1_11_x-update-tests-to-work-with-system-libxml-2_9_12
update CHANGELOG
windows: work around libxml2 xmlCleanupParser
test: adjust tests to pass on system libxml2 >= 2.9.11
ci: windows config for github actions
update CHANGELOG with the GHSA
version bump to v1.11.4
update CHANGELOG with complete CVE information
Merge pull request #2234 from sparklemotion/2233-upgrade-to-libxml-2-9-12
update CHANGELOG
patch: renumber libxml2 patches
test: update behavior of namespaces in HTML
test: remove low-value HTML::SAX::PushParser encoding test
test: adjust xpath gc test to libxml2's max recursion depth
patch: backport libxslt configure.ac change for libxml2 config
patch: fix isnan/isinf patch to apply cleanly to libxml 2.9.12
patch: fix whitespace in libxml2 Makefile.in patch
patch: remove upstream libxml2 patch c1ba6f5
patch: remove upstream libxml2 patches 29f5d20 and a67b63d
patch: remove upstream libxml2 patch afad372
patch: remove upstream libxml2 patch 0e1a49c
dep: upgrade libxml2 from 2.9.10 to 2.9.12
test: establish better baseline behavior for MS Word's html format
ci: add a pipeline for v1.11.x
version bump to v1.11.3
Merge pull request #2215 from sparklemotion/flavorjones-valgrind-test-helpers
test: consolidate jruby version info tests
test: cleanup
test: introduce helpers for skips and for a valgrind block
ci: make some slow tests run only under NOKOGIRI_GC
Merge pull request #2214 from sparklemotion/flavorjones-allow-arm64-compilation
fix: update automake files to allow arm64 to compile package libs
Revert "fix: update automake files to allow arm64 to compile package libs"
fix: update automake files to allow arm64 to compile package libs
ci: provide distinct "compact" and "verify" GC test levels
style: update noko_xml_node_wrap variable names
ci: explicitly do a major GC when testing with compaction
ci: drop NOKOGIRI_TEST_GC_COMPACTION in favor of "compact" _GC_LEVEL
readme: prefer the discord server over a specific channel name
ci: stop notifying discord
Merge pull request #2210 from sparklemotion/1900-check-type-passed-to-document-root-equals
fix: Document#root= raises an ArgumentError for a non-Node arg
prefactor: cleans up Document#root= tests and C code
Merge pull request #2209 from sparklemotion/flavorjones-skip-enumerator-in-valgrind
ci: skip NodeSet enumerator test on valgrind
ci: reduce valgrind suppressions
ci: use suppressions from the repo under test
ci: run tasks in parallel within a job
Merge pull request #2203 from sparklemotion/flavorjones-node-new-block-docs
doc: improve documentation for Document#create_element
doc: document `Node.new`'s optional block param
doc: improve Document::NCNAME doc string
test: label the Minitest::Reporters options when they are printed
doc: clarify language in CONTRIBUTING.md
license: update MIT license copyright dates
↗️ mini_portile2 (indirect, 2.5.0 → 2.5.1) · Repo · Changelog
Release Notes
2.5.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 33 commits:
version bump to v2.5.1
fix: #execute should always emit "OK" on success
Merge pull request #100 from flavorjones/flavorjones-execute-takes-env-option
feat: #execute now accepts an optional :env hash
remove remaining traces of concourse
doc: update README with Actions status badge
Merge pull request #98 from flavorjones/flavorjones-migrate-to-github-actions
ci: remove appveyor and concourse configs
ci: set makeflags to parallelize builds
ci: skip sqlite and ares examples on windows
ci: update sqlite version in examples test
ci: separate out test:examples from test:unit
ci: config git so that newlines don't break gpg sigs
ci: add windows coverage to GA CI
test: omit options with spaces from the cmake test
dep: add webrick as a dev dep for Ruby 3.0
ci: linux CI on GA
update default branch from master to main
Merge pull request #95 from amatsuda/https
GitHub is HTTPS by default
Merge pull request #94 from larskanis/appveyor
update CHANGELOG
ci: rename pipelines to avoid concourse warnings
ci: rename pipelines to avoid concourse warnings
Fix cmake usage and related tests on Windows
Update Appveyor-CI to newer rubies
Adjust version dependencies
ci: upgrade to teliaoss/github-pr-resource
ci: remove .travis.yml
README: update badges: travis→concourse, tidelift
README: add Support section with CTA for Tidelift
Create FUNDING.yml
publishing a security reporting process
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands