[Security] Bump nokogiri from 1.7.2 to 1.8.2

[dependabot-preview[bot]]

Bumps nokogiri from 1.7.2 to 1.8.2. This update includes security fixes.

Vulnerabilities fixed

> **Nokogiri gem, via libxml, is affected by DoS vulnerabilities** > The version of libxml2 packaged with Nokogiri contains a > vulnerability. Nokogiri has mitigated these issue by upgrading to > libxml 2.9.5. > > Wei Lei discovered that libxml2 incorrecty handled certain parameter > entities. An attacker could use this issue with specially constructed XML > data to cause libxml2 to consume resources, leading to a denial of service. > > Patched versions: [">= 1.8.1"] > Unaffected versions: [] > **Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities** > The version of libxml2 packaged with Nokogiri contains several > vulnerabilities. Nokogiri has mitigated these issues by upgrading to > libxml 2.9.5. > > It was discovered that a type confusion error existed in libxml2. An > attacker could use this to specially construct XML data that > could cause a denial of service or possibly execute arbitrary > code. (CVE-2017-0663) > > It was discovered that libxml2 did not properly validate parsed entity > references. An attacker could use this to specially construct XML > data that could expose sensitive information. (CVE-2017-7375) > > It was discovered that a buffer overflow existed in libxml2 when > handling HTTP redirects. An attacker could use this to specially > construct XML data that could cause a denial of service or possibly > execute arbitrary code. (CVE-2017-7376) > > Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in > libxml2 when handling elements. An attacker could use this to specially > construct XML data that could cause a denial of service or possibly > execute arbitrary code. (CVE-2017-9047) > > Marcel Böhme and Van-Thuan Pham discovered a buffer overread > in libxml2 when handling elements. An attacker could use this > to specially construct XML data that could cause a denial of > service. (CVE-2017-9048) > > Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads > in libxml2 when handling parameter-entity references. An attacker > could use these to specially construct XML data that could cause a > denial of service. (CVE-2017-9049, CVE-2017-9050) > > Patched versions: [">= 1.8.1"] > Unaffected versions: [] > **Nokogiri gem, via libxml, is affected by DoS vulnerabilities** > The version of libxml2 packaged with Nokogiri contains a > vulnerability. Nokogiri has mitigated these issue by upgrading to > libxml 2.9.6. > > It was discovered that libxml2 incorrecty handled certain files. An attacker > could use this issue with specially constructed XML data to cause libxml2 to > consume resources, leading to a denial of service. > > Patched versions: [">= 1.8.2"] > Unaffected versions: []

Changelog

*Sourced from nokogiri's [changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).* > # 1.8.2 / 2018-01-29 > > ## Security Notes > > [MRI] The update of vendored libxml2 from 2.9.5 to 2.9.7 addresses at least one published vulnerability, CVE-2017-15412. [#1714 has complete details] > > > ## Dependencies > > * [MRI] libxml2 is updated from 2.9.5 to 2.9.7 > * [MRI] libxslt is updated from 1.1.30 to 1.1.32 > > > ## Features > > * [MRI] OpenBSD installation should be a bit easier now. [#1685] (Thanks, [**jeremyevans**](https://github.com/jeremyevans)!) > * [MRI] Cross-built Windows gems now support Ruby 2.5 > > > ## Bug fixes > > * Node#serialize once again returns UTF-8-encoded strings. [#1659] > * [JRuby] made SAX parsing of characters consistent with C implementation [#1676] (Thanks, [**andrew**](https://github.com/andrew)-aladev!) > * [MRI] Predefined entities, when inspected, no longer cause a segfault. [#1238] > > > # 1.8.1 / 2017-09-19 > > ## Dependencies > > * [MRI] libxml2 is updated from 2.9.4 to 2.9.5. > * [MRI] libxslt is updated from 1.1.29 to 1.1.30. > * [MRI] optional dependency on the pkg-config gem has had its constraint loosened to `~> 1.1` (from `~> 1.1.7`). [#1660] > * [MRI] Upgrade mini_portile2 dependency from `~> 2.2.0` to `~> 2.3.0`, which will validate checksums on the vendored libxml2 and libxslt tarballs before using them. > > > ## Bugs > > * NodeSet#first with an integer argument longer than the length of the NodeSet now correctly clamps the length of the returned NodeSet to the original length. [#1650] (Thanks, [**Derenge**](https://github.com/Derenge)!) > * [MRI] Ensure CData.new raises TypeError if the `content` argument is not implicitly convertible into a string. [#1669] > > > # 1.8.0 / 2017-06-04 > > ## Backwards incompatibilities > > This release ends support for Ruby 2.1 on Windows in the `x86-mingw32` and `x64-mingw32` platform gems (containing pre-compiled DLLs). Official support ended for Ruby 2.1 on 2017-04-01. > > Please note that this deprecation note only applies to the precompiled Windows gems. Ruby 2.1 continues to be supported (for now) in the default gem when compiled on installation. > > ... (truncated)

Commits

- [`f80f4ad`](https://github.com/sparklemotion/nokogiri/commit/f80f4ad9f553811435aa2c40908a49fcd26c4533) version bump to 1.8.2 - [`d35ed46`](https://github.com/sparklemotion/nokogiri/commit/d35ed46f618e9c41e464a392fbc43df2b6cfa529) update CHANGELOG - [`62b1a5b`](https://github.com/sparklemotion/nokogiri/commit/62b1a5b1a9aa32983d5dc4d09a156241f97c8797) update CHANGELOG - [`6e14afe`](https://github.com/sparklemotion/nokogiri/commit/6e14afef81a4ecac6aac9b238ec2cedb86bd9bd0) Merge pull request [#1713](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1713) from sparklemotion/flavorjones-1238-segfault-reparen... - [`b1494e5`](https://github.com/sparklemotion/nokogiri/commit/b1494e5ae55ad704efb4a7d7d3aca4294f42a0ce) ensure EntityReferences ignore malformed children - [`d3456e4`](https://github.com/sparklemotion/nokogiri/commit/d3456e456328e8af9809e216204622a40d012525) update CHANGELOG - [`bf94cf5`](https://github.com/sparklemotion/nokogiri/commit/bf94cf503394edf2e74462e9ff3a6b822c21bf0c) remove hacks to discover the path to `racc` - [`734d4d4`](https://github.com/sparklemotion/nokogiri/commit/734d4d4763c1dee9601d7c385990e237a5eee8a9) Merge pull request [#1704](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1704) from larskanis/win-ruby-2.5 - [`cc80904`](https://github.com/sparklemotion/nokogiri/commit/cc80904c9770e83df97548e02f5c829fe24a25bc) Appveyor: Add ruby-2.4 and ruby-head to build matrix - [`992d81b`](https://github.com/sparklemotion/nokogiri/commit/992d81b5bd3a41c4c928700095e2d7dc6663b6d8) Windows: Add cross build for ruby-2.5 - Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.7.2...v1.8.2)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot ignore this [minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use [this|these] label[s]` will set the current labels as the default for future PRs for this repo and language Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) Finally, you can contact us by mentioning @dependabot.