Closed renovate[bot] closed 1 year ago
@rultor please, try to merge
@rultor please, try to merge
@yegor256 OK, I'll try to merge now. You can check the progress of the merge here
@rultor please, try to merge
@yegor256 Done! FYI, the full log is here (took me 12min)
Job gh:yegor256/blog#580
is not assigned, can't get performer
There is an unrecoverable failure on my side. Please, submit it here:
PID: 4@142d7046-8fa5-4260-867c-744acc2693c8, thread: PQ-C3RFVLU72
com.zerocracy.farm.strict.StrictProject[122] java.lang.IllegalArgumentException: File "blanks/renovate[bot].xml" is not accessible in "PMO"
1.0-SNAPSHOT: CID: 065ea496-b859-424d-a794-42cde7ad4bb6, Type: "Close job"
This PR contains the following updates:
'1.13.9'
->'1.13.10'
GitHub Vulnerability Alerts
CVE-2022-23476
Summary
Nokogiri
1.13.8, 1.13.9
fails to check the return value fromxmlTextReaderExpand
in the methodNokogiri::XML::Reader#attribute_hash
. This can lead to a null pointer exception when invalid markup is being parsed.For applications using
XML::Reader
to parse untrusted inputs, this may potentially be a vector for a denial of service attack.Mitigation
Upgrade to Nokogiri
>= 1.13.10
.Users may be able to search their code for calls to either
XML::Reader#attributes
orXML::Reader#attribute_hash
to determine if they are affected.Severity
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
Credit
This vulnerability was responsibly reported by @davidwilemski.
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.