A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.
This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your version of loofah has known security vulnerabilities 🚨
Advisory: CVE-2019-15587 Disclosed: October 22, 2019 URL: https://github.com/flavorjones/loofah/issues/171
Loofah XSS Vulnerability
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ loofah (indirect, 2.2.3 → 2.3.1) · Repo · Changelog
Release Notes
2.3.1
2.3.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
✳️ nokogiri (1.10.2 → 1.10.4) · Repo · Changelog
Release Notes
1.10.4
1.10.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 14 commits:
version bump to v1.10.4Merge branch '1915-css-tokenizer-load-file-vulnerability_v1.10.x' into v1.10.xupdate CHANGELOGregenerate lexical scanner using rexical 1.0.7eliminate `eval` from Builder#initializerufo formattingrubocop security scan is run as part of the `test` rake targetadd rubocop as a dev dependencyadding a temporary pipeline for v1.10.xversion bump to v1.10.3Merge pull request #1898 from sparklemotion/1892-libxslt-patch-for-usn-3947Backport libxslt patch for CVE-2019-11068Merge branch 'concourse-icons'ci: add icons to concourse resources↗️ crass (indirect, 1.0.4 → 1.0.5) · Repo · Changelog
Release Notes
1.0.5
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 4 commits:
Release 1.0.5Remove test files and omit themRemove 1.9.3 from the test matrixUpdate Travis test matrixDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands