Skip to content
This repository was archived by the owner on Jul 12, 2022. It is now read-only.

🚨 [security] Update nokogiri: 1.6.6.2 → 1.8.5 (minor) #24

Closed
depfu wants to merge 1 commit into from
Closed

🚨 [security] Update nokogiri: 1.6.6.2 → 1.8.5 (minor) #24

depfu wants to merge 1 commit into from

Conversation

@depfu
Copy link

@depfu depfu bot commented Oct 5, 2018

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

⚠️ No CI detected ⚠️

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

  • Our friends at Travis-CI provide excellent service.
  • Circle CI are good, too, and have a free plan that will cover basic needs.
  • If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
  • If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with depfu/.

It might be necessary to once deactivate and reactivate your project in Depfu for the CI service to be properly detected.


🚨 Your version of nokogiri has known security vulnerabilities 🚨

Advisory: CVE-2018-14404
Disclosed: October 04, 2018
URL: https://github.com/sparklemotion/nokogiri/issues/1785

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities

Nokogiri 1.8.5 has been released.

This is a security and bugfix release. It addresses two CVEs in upstream
libxml2 rated as "medium" by Red Hat, for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that these patches are not
yet (as of 2018-10-04) in an upstream release of libxml2.

Full details about the security update are available in Github Issue #1785.
[#1785]: #1785

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404
and CVE-2018-14567. Full details are available in #1785. Note that these
patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

CVE-2018-14404

Permalink:

https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html

Description:

A NULL pointer dereference vulnerability exists in the
xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when
parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR
case. Applications processing untrusted XSL format inputs with the use of
the libxml2 library may be vulnerable to a denial of service attack due
to a crash of the application

Canonical rates this vulnerability as "Priority: Medium"

CVE-2018-14567

Permalink:

https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html

Description:

infinite loop in LZMA decompression

Canonical rates this vulnerability as "Priority: Medium"


🚨 We recommend to merge and deploy this update as soon as possible! 🚨

We've updated a dependency and here is what you need to know:

name version specification old version new version
nokogiri indirect dependency 1.6.6.2 1.8.5

To resolve a dependency conflict, the update changed a few other dependencies as well:

action name old version new version
added concurrent-ruby 1.0.5
added crass 1.0.4
added mini_portile2 2.3.0
removed mini_portile 0.6.2
updated builder 3.2.2 3.2.3
updated i18n 0.7.0 0.9.5
updated jquery-rails 4.0.4 4.0.5
updated json 1.8.3 1.8.6
updated loofah 2.0.2 2.2.2
updated minitest 5.7.0 5.11.3
updated rack 1.6.4 1.6.10
updated rails-dom-testing 1.0.6 1.0.9
updated rails-html-sanitizer 1.0.2 1.0.4
updated rake 10.4.2 12.3.1
updated thor 0.19.1 0.20.0
updated thread_safe 0.3.5 0.3.6
updated tzinfo 1.2.2 1.2.5

You should probably take a good look at the info here and the test results before merging this pull request, of course.

What changed?

↗️ nokogiri (indirect, 1.6.6.2 → 1.8.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ builder (indirect, 3.2.2 → 3.2.3) · Repo · Changelog

↗️ i18n (indirect, 0.7.0 → 0.9.5) · Repo · Changelog

Release Notes

1.1.0

  • Simplified default exception handler - #414
  • Fallbacks now exclude default locale - #415, possibly fixes #413 + #338
  • Fixed deprecated use of assert_nothing_raised #417
  • Fixed pluralization behavior for KeyValue backend with subtrees disabled - #419
  • Allow yaml file extension - #421

1.0.1

  • Removed creation of some anonymous objects in I18n - #393
  • Added missing key exception_handler to reserved keys - #412

Thanks to @stereobooster and @tjoyal.

0.9.5

  • #404 reported a regression in 0.9.3, which wasn't fixed by 0.9.4. #408 fixes this issue.

Thanks @wjordan!

0.9.4

  • Fixed a regression with chained backends introduced in v0.9.3 (#402) - #405 - bug report / #407 - PR to fix
  • Optimize Backend::Simple#available_locales - reports are that this is now 4x faster than previously - #406

0.9.3

(For those wondering where v0.9.2 went: I got busy after I pushed the commit for the release, so there was no gem release that day. I am not busy today, so here is v0.9.3 in its stead. This changelog contains changes from v0.9.1 -> v0.9.3)

  • I18n no longer stores translations for unavailable locales. #391.
  • Added the ability to interpolate with arrays #395.
  • Documentation for lambda has been corrected. #396
  • I18n will use oj -- a faster JSON library -- but only if it is available. #398
  • Fixed an issue with translate and default: [false] as an option. #399
  • Fixed an issue with translate with nil and empty keys. #400
  • Fix issue with disabled subtrees and pluralization for KeyValue backend #402

Thank you to @stereobooster, @fatkodima and @lulalala for the patches that went towards this release. We appreciate your efforts!

0.9.1

  • Reverted Hash#slice behaviour introduced with #250 - See #390.
  • Fixed a regression caused by #387, where translations may have returned a not-helpful error message - See #389

0.9.0

  • Made Backend::Memoize threadsafe. See #51 and #352.
  • Added a middleware I18n::Middleware that should be used to ensure that i18n config is reset correctly between requests. See #381 and #382.

0.8.6

Fixed a small regression introduced in v0.8.5 when using fallbacks - See #378

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ jquery-rails (4.0.4 → 4.0.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 11 commits:

↗️ json (indirect, 1.8.3 → 1.8.6) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 31 commits:

↗️ loofah (indirect, 2.0.2 → 2.2.2) · Repo · Changelog

Release Notes

2.2.2

2.2.2 / 2018-03-22

Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.7.0 → 5.11.3) · Repo · Changelog

↗️ rack (indirect, 1.6.4 → 1.6.10) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ rails-dom-testing (indirect, 1.0.6 → 1.0.9) · Repo

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ rails-html-sanitizer (indirect, 1.0.2 → 1.0.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 27 commits:

↗️ rake (indirect, 10.4.2 → 12.3.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 0.19.1 → 0.20.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thread_safe (indirect, 0.3.5 → 0.3.6) · Repo

Commits

See the full diff on Github. The new version differs by 20 commits:

↗️ tzinfo (indirect, 1.2.2 → 1.2.5) · Repo · Changelog

Release Notes

1.2.5

  • Support recursively (deep) freezing Country and Timezone instances. #80.
  • Allow negative daylight savings time offsets to be derived when reading from zoneinfo files. The utc_offset and std_offset are now derived correctly for Europe/Dublin in the 2018a and 2018b releases of the Time Zone Database.

TZInfo v1.2.5 on RubyGems.org

1.2.4

  • Ignore the leapseconds file that is included in zoneinfo directories installed with version 2017c and later of the Time Zone Database.

TZInfo v1.2.4 on RubyGems.org

1.2.3

  • Reduce the number of String objects allocated when loading zoneinfo files. #54.
  • Make Timezone#friendly_identifier compatible with frozen string literals.
  • Improve the algorithm for deriving the utc_offset from zoneinfo files. This now correctly handles Pacific/Apia switching from one side of the International Date Line to the other whilst observing daylight savings time. #66.
  • Fix an UnknownTimezone exception when calling transitions_up_to or offsets_up_to on a TimezoneProxy instance obtained from Timezone.get_proxy.
  • Allow the Factory zone to be obtained from the Zoneinfo data source.
  • Ignore the /usr/share/zoneinfo/timeconfig symlink included in Slackware distributions. #64.
  • Fix Timezone#strftime handling of %Z expansion when %Z is prefixed with more than one percent. #31.
  • Support expansion of %z, %:z, %::z and %:::z to the UTC offset of the time zone in Timezone#strftime. #31 and #67.

TZInfo v1.2.3 on RubyGems.org

Commits

See the full diff on Github. The new version differs by 47 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Oct 5, 2018
@depfu depfu bot mentioned this pull request Oct 5, 2018
Closed
@depfu
Copy link
Author

depfu bot commented Apr 22, 2019

Closed in favor of #29.

@depfu depfu bot closed this Apr 22, 2019
@depfu depfu bot deleted the depfu/update/nokogiri-1.8.5 branch April 22, 2019 18:22
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants