🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema
are trusted by default, allowing external resources to be accessed over the
network, potentially enabling XXE or SSRF attacks.
This behavior is counter to
the security policy followed by Nokogiri maintainers, which is to treat all input
as untrusted by default whenever possible.
Please note that this security
fix was pushed into a new minor version, 1.11.x, rather than a patch release to
the 1.10.x branch, because it is a breaking change for some schemas and the risk
was assessed to be "Low Severity".
Affected Versions
Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3
Mitigation
There are no known workarounds for affected versions. Upgrade to Nokogiri 1.11.0.rc4 or later.
If, after upgrading to 1.11.0.rc4 or later, you wish
to re-enable network access for resolution of external resources (i.e., return to
the previous behavior):
Ensure the input is trusted. Do not enable this option
for untrusted input.
When invoking the Nokogiri::XML::Schema constructor,
pass as the second parameter an instance of Nokogiri::XML::ParseOptions with the NONET flag turned off.
So if your previous code was:
# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network# but in v1.11.0.rc4 and later, this call will disallow network access for external resourcesschema=Nokogiri::XML::Schema.new(schema)# in v1.11.0.rc4 and later, the following is equivalent to the code above# (the second parameter is optional, and this demonstrates its default value)schema=Nokogiri::XML::Schema.new(schema,Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)
Then you can add the second parameter to indicate that the input is trusted by changing it to:
# in v1.11.0.rc3 and earlier, this would raise an ArgumentError# but in v1.11.0.rc4 and later, this allows resources to be accessed over the networkschema=Nokogiri::XML::Schema.new(trusted_schema,Nokogiri::XML::ParseOptions.new.nononet)
Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.
This is a security release. It addresses three CVEs in upstream libxml2,
for which details are below.
If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
these vulnerabilities.
Full details about the security update are available in Github Issue
[#1943] #1943.
Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings
could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This
could allow an attacker to discern whether a byte on the stack contains the
characters A, a, I, i, or 0, or any other character.
Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an
xsl:number instruction was too narrow and an invalid character/length
combination could be passed to xsltNumberFormatDecimal, leading to a read
of uninitialized stack data
Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't
reset under certain circumstances. If the relevant memory area happened to
be freed and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.
This is a security release. It addresses a CVE in upstream libxslt rated as
"Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More
details are available below.
If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time, though
you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that this patch is not yet (as
of 2019-04-22) in an upstream release of libxslt.
Full details about the security update are available in Github Issue
[#1892] #1892.
libxslt through 1.1.33 allows bypass of a protection mechanism
because callers of xsltCheckRead and xsltCheckWrite permit access
even upon receiving a -1 error code. xsltCheckRead can return -1 for
a crafted URL that is not actually invalid and is subsequently
loaded.
Canonical rates this as "Priority: Medium".
Debian rates this as "NVD Severity: High (attack range: remote)".
MiniPortile.execute now takes an optional :env hash, which is merged into the environment variables for the subprocess. Likely this is only useful for specialized use cases. [#99]
Experimental support for cmake-based projects extended to Windows. (Thanks, @larskanis!)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
depfu[bot]
commented
3 years ago
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ nokogiri (1.10.2 → 1.11.4) · Repo · Changelog
Security Advisories 🚨
🚨 Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
🚨 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
🚨 Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
🚨 Nokogiri Command Injection Vulnerability
🚨 Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ mini_portile2 (indirect, 2.4.0 → 2.5.1) · Repo · Changelog
Release Notes
2.5.1
2.5.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 43 commits:
version bump to v2.5.1fix: #execute should always emit "OK" on successMerge pull request #100 from flavorjones/flavorjones-execute-takes-env-optionfeat: #execute now accepts an optional :env hashremove remaining traces of concoursedoc: update README with Actions status badgeMerge pull request #98 from flavorjones/flavorjones-migrate-to-github-actionsci: remove appveyor and concourse configsci: set makeflags to parallelize buildsci: skip sqlite and ares examples on windowsci: update sqlite version in examples testci: separate out test:examples from test:unitci: config git so that newlines don't break gpg sigsci: add windows coverage to GA CItest: omit options with spaces from the cmake testdep: add webrick as a dev dep for Ruby 3.0ci: linux CI on GAupdate default branch from master to mainMerge pull request #95 from amatsuda/httpsGitHub is HTTPS by defaultMerge pull request #94 from larskanis/appveyorupdate CHANGELOGci: rename pipelines to avoid concourse warningsci: rename pipelines to avoid concourse warningsFix cmake usage and related tests on WindowsUpdate Appveyor-CI to newer rubiesAdjust version dependenciesci: upgrade to teliaoss/github-pr-resourceci: remove .travis.ymlREADME: update badges: travis→concourse, tideliftREADME: add Support section with CTA for TideliftCreate FUNDING.ymlpublishing a security reporting processversion bump to v2.5.0update CHANGELOGci: ensure bundler is up-to-dateci: ensure bundler is up-to-dateci: update concourse, split pipelines into master and prrakefile: rufo formattinggemspec: update dev dep for bundlergemspec: rufo formattingMerge pull request #90 from hanazuki/multiple-pubkeysRemove all the imported pubkeys from keyring🆕 racc (added, 1.5.2)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands