search

yegor256 / blog

My blog about computers, written in Jekyll and deployed to GitHub Pages
https://www.yegor256.com
Other
115 stars 62 forks source link

Update dependency nokogiri to v1.13.10 [SECURITY] #580

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Update Change
nokogiri patch '1.13.9' -> '1.13.10'

GitHub Vulnerability Alerts

CVE-2022-23476

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @​davidwilemski.

Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

0crat commented 1 year ago

@renovate/z[bot] this pull request is too small, just 2 lines changed (less than 10), there will be no formal code review, see Β§53 and Β§28; in the future, try to make sure your pull requests are not too small; @yegor256/z please review this and merge or reject

yegor256 commented 1 year ago

@rultor please, try to merge

rultor commented 1 year ago

@rultor please, try to merge

@yegor256 OK, I'll try to merge now. You can check the progress of the merge here

rultor commented 1 year ago

@rultor please, try to merge

@yegor256 Done! FYI, the full log is here (took me 12min)

0crat commented 1 year ago

Job gh:yegor256/blog#580 is not assigned, can't get performer

0crat commented 1 year ago

There is an unrecoverable failure on my side. Please, submit it here:

PID: 4@142d7046-8fa5-4260-867c-744acc2693c8, thread: PQ-C3RFVLU72
com.zerocracy.farm.strict.StrictProject[122] java.lang.IllegalArgumentException: File "blanks/renovate[bot].xml" is not accessible in "PMO"

1.0-SNAPSHOT: CID: 065ea496-b859-424d-a794-42cde7ad4bb6, Type: "Close job"