theodi / frontend-www

The main frontend for the Quirkafleeg publishing platform
5 stars 4 forks source link

[Security] Bump nokogiri from 1.6.6.2 to 1.6.8.1 #515

Open dependabot-preview[bot] opened 6 years ago

dependabot-preview[bot] commented 6 years ago

Bumps nokogiri from 1.6.6.2 to 1.6.8.1. This update includes security fixes.

Vulnerabilities fixed > **Denial of service or RCE from libxml2 and libxslt** > Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, > which are libraries Nokogiri depends on. It was discovered that libxml2 and > libxslt incorrectly handled certain malformed documents, which can allow > malicious users to cause issues ranging from denial of service to remote code > execution attacks. > > For more information, the Ubuntu Security Notice is a good start: > http://www.ubuntu.com/usn/usn-2994-1/ > > Patched versions: [">= 1.6.8"] > Unaffected versions: ["< 1.6.0"] > **Nokogiri gem contains several vulnerabilities in libxml2** > Nokogiri version 1.6.7.1 has been released, pulling in several upstream > patches to the vendored libxml2 to address the following CVEs: > > CVE-2015-5312 > CVSS v2 Base Score: 7.1 (HIGH) > The xmlStringLenDecodeEntities function in parser.c in libxml2 > before 2.9.3 does not properly prevent entity expansion, which > allows context-dependent attackers to cause a denial of > service (CPU consumption) via crafted XML data, a different > vulnerability than CVE-2014-3660. > > CVE-2015-7497 > CVSS v2 Base Score: 5.0 (MEDIUM) > Heap-based buffer overflow in the xmlDictComputeFastQKey > function in dict.c in libxml2 before 2.9.3 allows > context-dependent attackers to cause a denial of service via > unspecified vectors. > > CVE-2015-7498 > CVSS v2 Base Score: 5.0 (MEDIUM) > Heap-based buffer overflow in the xmlParseXmlDecl function in > parser.c in libxml2 before 2.9.3 allows context-dependent > attackers to cause a denial of service via unspecified vectors > related to extracting errors after an encoding conversion > failure. > > CVE-2015-7499 > CVSS v2 Base Score: 5.0 (MEDIUM) > Heap-based buffer overflow in the xmlGROW function in parser.c > in libxml2 before 2.9.3 allows context-dependent attackers to > obtain sensitive process memory information via unspecified > vectors. > > CVE-2015-7500 > CVSS v2 Base Score: 5.0 (MEDIUM) > The xmlParseMisc function in parser.c in libxml2 before 2.9.3 > allows context-dependent attackers to cause a denial of > service (out-of-bounds heap read) via unspecified vectors > related to incorrect entities boundaries and start tags. > > CVE-2015-8241 > CVSS v2 Base Score: 6.4 (MEDIUM) > The xmlNextChar function in libxml2 2.9.2 does not properly > check the state, which allows context-dependent attackers to > cause a denial of service (heap-based buffer over-read and > application crash) or obtain sensitive information via crafted > XML data. > > CVE-2015-8242 > CVSS v2 Base Score: 5.8 (MEDIUM) > The xmlSAX2TextNode function in SAX2.c in the push interface in > the HTML parser in libxml2 before 2.9.3 allows > context-dependent attackers to cause a denial of > service (stack-based buffer over-read and application crash) or > obtain sensitive information via crafted XML data. > > CVE-2015-8317 > CVSS v2 Base Score: 5.0 (MEDIUM) > The xmlParseXMLDecl function in parser.c in libxml2 before > 2.9.3 allows context-dependent attackers to obtain sensitive > information via an (1) unterminated encoding value or (2) > incomplete XML declaration in XML data, which triggers an > out-of-bounds heap read. > > Patched versions: [">= 1.6.7.1"] > Unaffected versions: ["< 1.6.0"] > **Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2** > Nokogiri version 1.6.7.2 has been released, pulling in several upstream > patches to the vendored libxml2 to address the following CVE: > > CVE-2015-7499 > CVSS v2 Base Score: 5.0 (MEDIUM) > > Heap-based buffer overflow in the xmlGROW function in parser.c > in libxml2 before 2.9.3 allows context-dependent attackers to > obtain sensitive process memory information via unspecified > vectors. > > libxml2 could be made to crash if it opened a specially crafted > file. It was discovered that libxml2 incorrectly handled certain > malformed documents. If a user or automated system were tricked > into opening a specially crafted document, an attacker could > possibly cause libxml2 to crash, resulting in a denial of service. > > Patched versions: [">= 1.6.7.2"] > Unaffected versions: ["< 1.6.0"] > **Nokogiri gem contains several vulnerabilities in libxml2 and libxslt** > Several vulnerabilities were discovered in the libxml2 and libxslt libraries > that the Nokogiri gem depends on. > > CVE-2015-1819 > A denial of service flaw was found in the way libxml2 parsed XML > documents. This flaw could cause an application that uses libxml2 to use an > excessive amount of memory. > > CVE-2015-7941 > libxml2 does not properly stop parsing invalid input, which allows > context-dependent attackers to cause a denial of service (out-of-bounds read > and libxml2 crash) via crafted specially XML data. > > CVE-2015-7942 > The xmlParseConditionalSections function in parser.c in libxml2 > does not properly skip intermediary entities when it stops parsing invalid > input, which allows context-dependent attackers to cause a denial of service > (out-of-bounds read and crash) via crafted XML data. > > CVE-2015-7995 > The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not > check whether the parent node is an element, which allows attackers to cause > a denial of service using a specially crafted XML document. > > CVE-2015-8035 > The xz_decomp function in xzlib.c in libxml2 2.9.1 does not > properly detect compression errors, which allows context-dependent attackers > to cause a denial of service (process hang) via crafted XML data. > > Another vulnerability was discoverd in libxml2 that could cause parsing > of unclosed comments to result in "conditional jump or move depends on > uninitialized value(s)" and unsafe memory access. This issue does not have a > CVE assigned yet. See related URLs for details. Patched in v1.6.7.rc4. > > Patched versions: ["~> 1.6.6.4", ">= 1.6.7.rc4"] > Unaffected versions: []
Changelog *Sourced from nokogiri's [changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).* > # 1.6.8.1 / 2016-10-03 > > ## Dependency License Notes > > Removes required dependency on the `pkg-config` gem. This dependency > was introduced in v1.6.8 and, because it's distributed under LGPL, was > objectionable to many Nokogiri users ([#1488](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1488), [#1496](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1496)). > > This version makes `pkg-config` an optional dependency. If it's > installed, it's used; but otherwise Nokogiri will attempt to work > around its absence. > > > # 1.6.8 / 2016-06-06 > > ## Security Notes > > [MRI] Bundled libxml2 is upgraded to 2.9.4, which fixes many security issues. Many of these had previously been patched in the vendored libxml 2.9.2 in the 1.6.7.x branch, but some are newer. > > See these libxml2 email posts for more: > > * https://mail.gnome.org/archives/xml/2015-November/msg00012.html > * https://mail.gnome.org/archives/xml/2016-May/msg00023.html > > For a more detailed analysis, you may care to read Canonical's take on these security issues: > > * http://www.ubuntu.com/usn/usn-2994-1 > > > [MRI] Bundled libxslt is upgraded to 1.1.29, which fixes a security issue as well as many long-known outstanding bugs, some features, some portability improvements, and general cleanup. > > See this libxslt email post for more: > > * https://mail.gnome.org/archives/xslt/2016-May/msg00004.html > > > ## Features > > Several changes were made to improve performance: > > * [MRI] Simplify NodeSet#to_a with a minor speed-up. ([#1397](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1397)) > * XML::Node#ancestors optimization. ([#1297](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1297)) (Thanks, Bruno Sutic!) > * Use Symbol#to_proc where we weren't previously. ([#1296](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1296)) (Thanks, Bruno Sutic!) > * XML::DTD#each uses implicit block calls. (Thanks, [**glaucocustodio**](https://github.com/glaucocustodio)!) > * Fall back to the `pkg-config` gem if we're having trouble finding the system libxml2. This should help many FreeBSD users. ([#1417](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1417)) > * Set document encoding appropriately even on blank document. ([#1043](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1043)) (Thanks, [**batter**](https://github.com/batter)!) > > > ## Bug Fixes > > ... (truncated)
Commits - [`002e4d8`](https://github.com/sparklemotion/nokogiri/commit/002e4d8481dcc15bbf23fb385cdf5ebfed892442) version bump to v1.6.8.1 - [`3b9ee4b`](https://github.com/sparklemotion/nokogiri/commit/3b9ee4baa2879be181227ee076cf54a062b93933) update CHANGELOG for pkg-config - [`f2dd079`](https://github.com/sparklemotion/nokogiri/commit/f2dd07910d2b8b332ce94f7daa4184532a0d8b4e) Make the pkg-config gem optional. - [`6b05c5a`](https://github.com/sparklemotion/nokogiri/commit/6b05c5a5d319575f14d1cfc924c92f0df19a52cd) update v1.6.8 date in CHANGELOG - [`1103a64`](https://github.com/sparklemotion/nokogiri/commit/1103a647ee84837c6f23c4fe21e554bc2d3708bf) version bump to v1.6.8 final - [`03d4022`](https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028) update CHANGELOG with libxml2 USN info - [`a7da0f9`](https://github.com/sparklemotion/nokogiri/commit/a7da0f9217c7d00d9bd22be9948e73934ee55117) make sure test_all will errexit - [`8d4ea86`](https://github.com/sparklemotion/nokogiri/commit/8d4ea8671035a59d13936bce263cc7edb031fda0) make sure test_all doesn't require libxml-ruby - [`80e800b`](https://github.com/sparklemotion/nokogiri/commit/80e800bdb7ab5c04d19fcffdd6cc6c877b3f4279) use eval_gemfile to load libxml-ruby - [`95ba49a`](https://github.com/sparklemotion/nokogiri/commit/95ba49addfb6dbece66127287d119b5955c4d28b) test_all uses Bundler 1.12.* - Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.6.6.2...v1.6.8.1)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot ignore this [minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use [this|these] label[s]` will set the current labels as the default for future PRs for this repo and language Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) Finally, you can contact us by mentioning @dependabot.