[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.
This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
depfu[bot]
commented
4 years ago
🚨 Your version of nokogiri has known security vulnerabilities 🚨
Advisory: CVE-2020-7595 Disclosed: February 10, 2020 URL: https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7595.html
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ nokogiri (1.10.2 → 1.10.8) · Repo · Changelog
Release Notes
1.10.8
1.10.7
1.10.6
1.10.5
1.10.4
1.10.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 35 commits:
version bump to v1.10.8update CHANGELOG for v1.10.8remove patches from the hoe Manifestupdate to use rake-compiler ~1.1.0backport libxml2 patch for CVE-2020-7595version bump to v1.10.7update CHANGELOGFix the patch from #1953 to work with both `git` and `patch`Fix typo in generated metadataadd gem metadataversion bump to v1.10.6update CHANGELOGAdd a patch to fix libxml2.la's pathadd security note to CHANGELOGversion bump to v1.10.5update CHANGELOGdependency: update libxslt to 1.1.34 finaldependency: update libxml to 2.9.10 finaladd suppressions for ruby 2.7update CHANGELOG with correct release date for v1.10.4update rake-compiler commands to install bundlerversion bump to v1.10.4Merge branch '1915-css-tokenizer-load-file-vulnerability_v1.10.x' into v1.10.xupdate CHANGELOGregenerate lexical scanner using rexical 1.0.7eliminate `eval` from Builder#initializerufo formattingrubocop security scan is run as part of the `test` rake targetadd rubocop as a dev dependencyadding a temporary pipeline for v1.10.xversion bump to v1.10.3Merge pull request #1898 from sparklemotion/1892-libxslt-patch-for-usn-3947Backport libxslt patch for CVE-2019-11068Merge branch 'concourse-icons'ci: add icons to concourse resourcesDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands