profile
viewpoint
Terian Koscik spinecone GitHub Chicago, IL http://pineconedoesthings.com/ voted most likely to be eating a dole whip

spinecone/hello-world-bot 18

A template for creating a Twitter bot that tweets lines of a text one at a time.

dmleong/coding-dojo 15

coursework for coding dojo

spinecone/diy-sex-robot 6

Teach yourself to program with a vibrator

spinecone/gifthubber 3

For sending gifts to hubbers

rubyforgood/panda_app 2

Ruby for Good 2016: A tool to help researchers score observations of animal behaviors

spinecone/angry_rich_people 2

rich people spent money and are angry about it

spinecone/api-horoscope 2

Template for creating your own API horoscope

delete branch spinecone/new-life

delete branch : dependabot/bundler/nokogiri-1.10.10

delete time in 18 days

PR closed spinecone/new-life

[Security] Bump nokogiri from 1.6.6.2 to 1.10.10 dependencies security

Bumps nokogiri from 1.6.6.2 to 1.10.10. This update includes security fixes. <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-5029.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29</strong> nokogiri version 1.7.2 has been released.</p> <p>This is a security update based on 1.7.1, addressing two upstream libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.</p> <p>These patches only apply when using Nokogiri's vendored libxslt package. If you're using your distro's system libraries, there's no need to upgrade from 1.7.0.1 or 1.7.1 at this time.</p> <p>Full details are available at the github issue linked to in the changelog below.</p> <hr /> <h1>1.7.2 / 2017-05-09</h1> <h2>Security Notes</h2> <p>[MRI] Upstream libxslt patches are applied to the vendored libxslt</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.7.2 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-9050.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml 2.9.5.</p> <p>It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663)</p> <p>It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375)</p> <p>It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376)</p> <p>Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.8.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-15412.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6.</p> <p>It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.</p> <p>Patched versions: >= 1.8.2 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-8806.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Denial of service or RCE from libxml2 and libxslt</strong> Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.</p> <p>For more information, the Ubuntu Security Notice is a good start: <a href="http://www.ubuntu.com/usn/usn-2994-1/">http://www.ubuntu.com/usn/usn-2994-1/</a></p> <p>Patched versions: >= 1.6.8 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-16932.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5.</p> <p>Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.</p> <p>Patched versions: >= 1.8.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from The Ruby Advisory Database.</em></p> <blockquote> <p><strong>Nokogiri Command Injection Vulnerability</strong> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's <code>Kernel.open</code> method. Processes are vulnerable only if the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> is being passed untrusted user input.</p> <p>This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.</p> <p>Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> with untrusted user input.</p> <p>Patched versions: >= 1.10.4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file</strong> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's <code>Kernel.open</code> method. Processes are vulnerable only if the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> is being passed untrusted user input.</p> <p>This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.</p> <p>Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> with untrusted user input.</p> <p>Patched versions: >= 1.10.4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-7499.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2</strong> Nokogiri version 1.6.7.2 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE:</p> <p>CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM)</p> <p>Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.</p> <p>libxml2 could be made to crash if it opened a specially crafted file. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.</p> <p>Patched versions: >= 1.6.7.2 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2</strong> Nokogiri version 1.6.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:</p> <p>CVE-2015-5312 CVSS v2 Base Score: 7.1 (HIGH) The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.</p> <p>CVE-2015-7497 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.</p> <p>CVE-2015-7498 CVSS v2 Base Score: 5.0 (MEDIUM)</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.6.7.1 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2016-4658.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2 and libxslt</strong> Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:</p> <p>CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.</p> <p>CVE-2016-5131 CVSS v3 Base Score: 8.8 (HIGH) Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.</p> <p>Patched versions: >= 1.7.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-1819.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2 and libxslt</strong> Several vulnerabilities were discovered in the libxml2 and libxslt libraries that the Nokogiri gem depends on.</p> <p>CVE-2015-1819 A denial of service flaw was found in the way libxml2 parsed XML documents. This flaw could cause an application that uses libxml2 to use an excessive amount of memory.</p> <p>CVE-2015-7941 libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted specially XML data.</p> <p>CVE-2015-7942 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data.</p> <p>CVE-2015-7995</p> <!-- raw HTML omitted --> <p>Patched versions: ~> 1.6.6.4; >= 1.6.7.rc4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Revert libxml2 behavior in Nokogiri gem that could cause XSS</strong> [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:</p> <p><a href="https://github.com/GNOME/libxml2/commit/960f0e2">https://github.com/GNOME/libxml2/commit/960f0e2</a></p> <p>and more information is available about this commit and its impact here:</p> <p><a href="https://github-redirect.dependabot.com/flavorjones/loofah/issues/144">flavorjones/loofah#144</a></p> <p>This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities.</p> <p>If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here:</p> <p><a href="https://bugzilla.gnome.org/show_bug.cgi?id=769760">https://bugzilla.gnome.org/show_bug.cgi?id=769760</a></p> <p>Patched versions: >= 1.8.3 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxslt, is affected by multiple vulnerabilities</strong> Nokogiri v1.10.5 has been released.</p> <p>This is a security release. It addresses three CVEs in upstream libxml2, for which details are below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses these vulnerabilities.</p> <p>Full details about the security update are available in Github Issue [#1943] <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1943">sparklemotion/nokogiri#1943</a>.</p> <hr /> <p>CVE-2019-13117</p> <p><a href="https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html">https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html</a></p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.10.5 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-7553-jr98-vx47">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects nokogiri</strong> xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched it's vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.</p> <p>Affected versions: < 1.10.8</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-7595.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>libxml2 2.9.10 has an infinite loop in a certain end-of-file situation</strong> Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8</p> <p>CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.</p> <p>Patched versions: >= 1.10.8 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-14404.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</strong> Nokogiri 1.8.5 has been released.</p> <p>This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p> <p>Full details about the security update are available in Github Issue #1785. [#1785]: <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785">sparklemotion/nokogiri#1785</a></p> <hr /> <p>[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.8.5 Unaffected versions: none</p> </blockquote> <p><em>Sourced from The GitHub Security Advisory Database.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects nokogiri</strong> The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.</p> <p>Affected versions: < 1.8.2</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-11068.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxslt, is affected by improper access control vulnerability</strong> Nokogiri v1.10.3 has been released.</p> <p>This is a security release. It addresses a CVE in upstream libxslt rated as "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More details are available below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.</p> <p>Full details about the security update are available in Github Issue [#1892] <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1892">sparklemotion/nokogiri#1892</a>.</p> <hr /> <p>CVE-2019-11068</p> <p>Permalinks are:</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.10.3 Unaffected versions: none</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>1.10.10 / 2020-07-06</h2> <h3>Features</h3> <ul> <li>[MRI] Cross-built Windows gems now support Ruby 2.7 [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2029">#2029</a>]. Note that prior to this release, the v1.11.x prereleases provided this support.</li> </ul> <h2>1.10.9 / 2020-03-01</h2> <h3>Fixed</h3> <ul> <li>[MRI] Raise an exception when Nokogiri detects a specific libxml2 edge case involving blank Schema nodes wrapped by Ruby objects that would cause a segfault. Currently no fix is available upstream, so we're preventing a dangerous operation and informing users to code around it if possible. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1985">#1985</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2001">#2001</a>]</li> <li>[JRuby] Change <code>NodeSet#to_a</code> to return a RubyArray instead of Object, for compilation under JRuby 9.2.9 and later. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1968">#1968</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1969">#1969</a>] (Thanks, <a href="https://github.com/headius">@headius</a>!)</li> </ul> <h2>1.10.8 / 2020-02-10</h2> <h3>Security</h3> <p>[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1992">#1992</a>. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.</p> <h2>1.10.7 / 2019-12-03</h2> <h3>Bug</h3> <ul> <li>[MRI] Ensure the patch applied in v1.10.6 works with GNU <code>patch</code>. <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1954">#1954</a></li> </ul> <h2>1.10.6 / 2019-12-03</h2> <h3>Bug</h3> <ul> <li>[MRI] Fix FreeBSD installation of vendored libxml2. [#1941, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1953">#1953</a>] (Thanks, <a href="https://github.com/nurse">@nurse</a>!)</li> </ul> <h2>1.10.5 / 2019-10-31</h2> <h3>Dependencies</h3> <ul> <li>[MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10</li> <li>[MRI] vendored libxslt is updated from 1.1.33 to 1.1.34</li> </ul> <h2>1.10.4 / 2019-08-11</h2> <!-- raw HTML omitted --> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>1.10.10 / 2020-07-06</h2> <h3>Features</h3> <ul> <li>[MRI] Cross-built Windows gems now support Ruby 2.7 [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2029">#2029</a>]. Note that prior to this release, the v1.11.x prereleases provided this support.</li> </ul> <h2>1.10.9 / 2020-03-01</h2> <h3>Fixed</h3> <ul> <li>[MRI] Raise an exception when Nokogiri detects a specific libxml2 edge case involving blank Schema nodes wrapped by Ruby objects that would cause a segfault. Currently no fix is available upstream, so we're preventing a dangerous operation and informing users to code around it if possible. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1985">#1985</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2001">#2001</a>]</li> <li>[JRuby] Change <code>NodeSet#to_a</code> to return a RubyArray instead of Object, for compilation under JRuby 9.2.9 and later. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1968">#1968</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1969">#1969</a>] (Thanks, <a href="https://github.com/headius">@headius</a>!)</li> </ul> <h2>1.10.8 / 2020-02-10</h2> <h3>Security</h3> <p>[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1992">#1992</a>. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.</p> <h2>1.10.7 / 2019-12-03</h2> <h3>Fixed</h3> <ul> <li>[MRI] Ensure the patch applied in v1.10.6 works with GNU <code>patch</code>. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1954">#1954</a>]</li> </ul> <h2>1.10.6 / 2019-12-03</h2> <h3>Fixed</h3> <ul> <li>[MRI] Fix FreeBSD installation of vendored libxml2. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1941">#1941</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1953">#1953</a>] (Thanks, <a href="https://github.com/nurse">@nurse</a>!)</li> </ul> <h2>1.10.5 / 2019-10-31</h2> <h3>Security</h3> <p>[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:</p> <ul> <li>CVE-2019-13117</li> <li>CVE-2019-13118</li> <li>CVE-2019-18197</li> <li>CVE-2019-19956</li> </ul> <p>More details are available at <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1943">#1943</a>.</p> <!-- raw HTML omitted --> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sparklemotion/nokogiri/commit/a9a3717154bdb99ed6d0d785736eb471c9d6a954"><code>a9a3717</code></a> version bump to v1.10.10</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/d2d3c18a6c2db5b448381573c1248fe480198003"><code>d2d3c18</code></a> update CHANGELOG for v1.10.10</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/f0c324c1d93a2880a32dc46cf8766ff132409806"><code>f0c324c</code></a> Merge branch '2029-windows-support-for-ruby-27-on-v110x' into v1.10.x</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/c39e1b082e73557207db1468e4b567727a384579"><code>c39e1b0</code></a> Support fat binary gems for ruby-2.7</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/90916022e38fd48c3a9e3763b0f47f834261d399"><code>9091602</code></a> ci: only manage the v1.10.x pipeline on this branch</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/e2e191de387f854619bc8a3f9b39ca687fe0bf31"><code>e2e191d</code></a> version bump to v1.10.9</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/50f8fdeae4afb8582ff6347d7aa17822a1e11242"><code>50f8fde</code></a> update CHANGELOG</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/9b5deef76aeb5e3868cafb0b0956cca3708136f3"><code>9b5deef</code></a> Change return type to RubyArray</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/ae054f750283dccb1454d71dc00d0343dc2b1c60"><code>ae054f7</code></a> update CHANGELOG for <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1985">#1985</a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/71bcaf0bb1351c09e48f41f10314cb35bb4a4db4"><code>71bcaf0</code></a> Work around a bug in libxml2</li> <li>Additional commits viewable in <a href="https://github.com/sparklemotion/nokogiri/compare/v1.6.6.2...v1.10.10">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

</details>

+3 -3

1 comment

1 changed file

dependabot-preview[bot]

pr closed time in 18 days

pull request commentspinecone/new-life

[Security] Bump nokogiri from 1.6.6.2 to 1.10.10

Superseded by #31.

dependabot-preview[bot]

comment created time in 18 days

PR opened spinecone/new-life

[Security] Bump nokogiri from 1.6.6.2 to 1.11.0

Bumps nokogiri from 1.6.6.2 to 1.11.0. This update includes security fixes. <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-5029.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29</strong> nokogiri version 1.7.2 has been released.</p> <p>This is a security update based on 1.7.1, addressing two upstream libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.</p> <p>These patches only apply when using Nokogiri's vendored libxslt package. If you're using your distro's system libraries, there's no need to upgrade from 1.7.0.1 or 1.7.1 at this time.</p> <p>Full details are available at the github issue linked to in the changelog below.</p> <hr /> <h1>1.7.2 / 2017-05-09</h1> <h2>Security Notes</h2> <p>[MRI] Upstream libxslt patches are applied to the vendored libxslt</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.7.2 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-9050.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml 2.9.5.</p> <p>It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663)</p> <p>It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375)</p> <p>It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376)</p> <p>Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.8.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-15412.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6.</p> <p>It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.</p> <p>Patched versions: >= 1.8.2 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-8806.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Denial of service or RCE from libxml2 and libxslt</strong> Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.</p> <p>For more information, the Ubuntu Security Notice is a good start: <a href="http://www.ubuntu.com/usn/usn-2994-1/">http://www.ubuntu.com/usn/usn-2994-1/</a></p> <p>Patched versions: >= 1.6.8 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-16932.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5.</p> <p>Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.</p> <p>Patched versions: >= 1.8.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from The Ruby Advisory Database.</em></p> <blockquote> <p><strong>Nokogiri Command Injection Vulnerability</strong> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's <code>Kernel.open</code> method. Processes are vulnerable only if the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> is being passed untrusted user input.</p> <p>This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.</p> <p>Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> with untrusted user input.</p> <p>Patched versions: >= 1.10.4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file</strong> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's <code>Kernel.open</code> method. Processes are vulnerable only if the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> is being passed untrusted user input.</p> <p>This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.</p> <p>Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> with untrusted user input.</p> <p>Patched versions: >= 1.10.4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-7499.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2</strong> Nokogiri version 1.6.7.2 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE:</p> <p>CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM)</p> <p>Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.</p> <p>libxml2 could be made to crash if it opened a specially crafted file. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.</p> <p>Patched versions: >= 1.6.7.2 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2</strong> Nokogiri version 1.6.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:</p> <p>CVE-2015-5312 CVSS v2 Base Score: 7.1 (HIGH) The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.</p> <p>CVE-2015-7497 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.</p> <p>CVE-2015-7498 CVSS v2 Base Score: 5.0 (MEDIUM)</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.6.7.1 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2016-4658.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2 and libxslt</strong> Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:</p> <p>CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.</p> <p>CVE-2016-5131 CVSS v3 Base Score: 8.8 (HIGH) Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.</p> <p>Patched versions: >= 1.7.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-1819.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2 and libxslt</strong> Several vulnerabilities were discovered in the libxml2 and libxslt libraries that the Nokogiri gem depends on.</p> <p>CVE-2015-1819 A denial of service flaw was found in the way libxml2 parsed XML documents. This flaw could cause an application that uses libxml2 to use an excessive amount of memory.</p> <p>CVE-2015-7941 libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted specially XML data.</p> <p>CVE-2015-7942 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data.</p> <p>CVE-2015-7995</p> <!-- raw HTML omitted --> <p>Patched versions: ~> 1.6.6.4; >= 1.6.7.rc4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Revert libxml2 behavior in Nokogiri gem that could cause XSS</strong> [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:</p> <p><a href="https://github.com/GNOME/libxml2/commit/960f0e2">https://github.com/GNOME/libxml2/commit/960f0e2</a></p> <p>and more information is available about this commit and its impact here:</p> <p><a href="https://github-redirect.dependabot.com/flavorjones/loofah/issues/144">flavorjones/loofah#144</a></p> <p>This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities.</p> <p>If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here:</p> <p><a href="https://bugzilla.gnome.org/show_bug.cgi?id=769760">https://bugzilla.gnome.org/show_bug.cgi?id=769760</a></p> <p>Patched versions: >= 1.8.3 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxslt, is affected by multiple vulnerabilities</strong> Nokogiri v1.10.5 has been released.</p> <p>This is a security release. It addresses three CVEs in upstream libxml2, for which details are below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses these vulnerabilities.</p> <p>Full details about the security update are available in Github Issue [#1943] <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1943">sparklemotion/nokogiri#1943</a>.</p> <hr /> <p>CVE-2019-13117</p> <p><a href="https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html">https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html</a></p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.10.5 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-7553-jr98-vx47">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects nokogiri</strong> xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched it's vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.</p> <p>Affected versions: < 1.10.8</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-7595.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>libxml2 2.9.10 has an infinite loop in a certain end-of-file situation</strong> Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8</p> <p>CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.</p> <p>Patched versions: >= 1.10.8 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-vr8q-g5c7-m54m">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>XXE in Nokogiri</strong></p> <h3>Severity</h3> <p>Nokogiri maintainers have evaluated this as <a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"><strong>Low Severity</strong> (CVSS3 2.6)</a>.</p> <h3>Description</h3> <p>In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by <code>Nokogiri::XML::Schema</code> are <strong>trusted</strong> by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.</p> <p>This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as <strong>untrusted</strong> by default whenever possible.</p> <p>Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".</p> <h3>Affected Versions</h3> <p>Nokogiri <code>&lt;= 1.10.10</code> as well as prereleases <code>1.11.0.rc1</code>, <code>1.11.0.rc2</code>, and <code>1.11.0.rc3</code></p> <h3>Mitigation</h3> <!-- raw HTML omitted --> <p>Affected versions: <= 1.10.10</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-14404.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</strong> Nokogiri 1.8.5 has been released.</p> <p>This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p> <p>Full details about the security update are available in Github Issue #1785. [#1785]: <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785">sparklemotion/nokogiri#1785</a></p> <hr /> <p>[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.8.5 Unaffected versions: none</p> </blockquote> <p><em>Sourced from The GitHub Security Advisory Database.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects nokogiri</strong> The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.</p> <p>Affected versions: < 1.8.2</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-11068.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxslt, is affected by improper access control vulnerability</strong> Nokogiri v1.10.3 has been released.</p> <p>This is a security release. It addresses a CVE in upstream libxslt rated as "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More details are available below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.</p> <p>Full details about the security update are available in Github Issue [#1892] <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1892">sparklemotion/nokogiri#1892</a>.</p> <hr /> <p>CVE-2019-11068</p> <p>Permalinks are:</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.10.3 Unaffected versions: none</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>v1.11.0 / 2021-01-03</h2> <h3>Notes</h3> <h4>Faster, more reliable installation: Native Gems for Linux and OSX/Darwin</h4> <p>"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in <strong>much faster installation</strong> and <strong>more reliable installation</strong>, which as you probably know are the biggest headaches for Nokogiri users.</p> <p>We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:</p> <ul> <li>Linux: <code>x86-linux</code> and <code>x86_64-linux</code> -- including musl platforms like alpine</li> <li>OSX/Darwin: <code>x86_64-darwin</code> and <code>arm64-darwin</code></li> </ul> <p>We'd appreciate your thoughts and feedback on this work at <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2075">#2075</a>.</p> <h3>Dependencies</h3> <h4>Ruby</h4> <p>This release introduces support for Ruby 2.7 and 3.0 in the precompiled native gems.</p> <p>This release ends support for:</p> <ul> <li>Ruby 2.3, for which <a href="https://www.ruby-lang.org/en/news/2019/03/31/support-of-ruby-2-3-has-ended/">official support ended on 2019-03-31</a> [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1886">#1886</a>] (Thanks <a href="https://github.com/ashmaroli">@ashmaroli</a>!)</li> <li>Ruby 2.4, for which <a href="https://www.ruby-lang.org/en/news/2020/04/05/support-of-ruby-2-4-has-ended/">official support ended on 2020-04-05</a></li> <li>JRuby 9.1, which is the Ruby 2.3-compatible release.</li> </ul> <h4>Gems</h4> <ul> <li>Explicitly add racc as a runtime dependency. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1988">#1988</a>] (Thanks, <a href="https://github.com/voxik">@voxik</a>!)</li> <li>[MRI] Upgrade mini_portile2 dependency from <code>~> 2.4.0</code> to <code>~> 2.5.0</code> [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2005">#2005</a>] (Thanks, <a href="https://github.com/alejandroperea">@alejandroperea</a>!)</li> </ul> <h3>Security</h3> <p>See note below about CVE-2020-26247 in the "Changed" subsection entitled "XML::Schema parsing treats input as untrusted by default".</p> <h3>Added</h3> <ul> <li>Add Node methods for manipulating "keyword attributes" (for example, <code>class</code> and <code>rel</code>): <code>#kwattr_values</code>, <code>#kwattr_add</code>, <code>#kwattr_append</code>, and <code>#kwattr_remove</code>. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2000">#2000</a>]</li> <li>Add support for CSS queries <code>a:has(> b)</code>, <code>a:has(~ b)</code>, and <code>a:has(+ b)</code>. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/688">#688</a>] (Thanks, <a href="https://github.com/jonathanhefner">@jonathanhefner</a>!)</li> <li>Add <code>Node#value?</code> to better match expected semantics of a Hash-like object. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1838">#1838</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1840">#1840</a>] (Thanks, <a href="https://github.com/MatzFan">@MatzFan</a>!)</li> <li>[CRuby] Add <code>Nokogiri::XML::Node#line=</code> for use by downstream libs like nokogumbo. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1918">#1918</a>] (Thanks, <a href="https://github.com/stevecheckoway">@stevecheckoway</a>!)</li> <li><code>nokogiri.gemspec</code> is back after a 10-year hiatus. We still prefer you use the official releases, but master is pretty stable these days, and YOLO.</li> </ul> <h3>Performance</h3> <!-- raw HTML omitted --> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>v1.11.0 / 2021-01-03</h2> <h3>Notes</h3> <h4>Faster, more reliable installation: Native Gems for Linux and OSX/Darwin</h4> <p>"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in <strong>much faster installation</strong> and <strong>more reliable installation</strong>, which as you probably know are the biggest headaches for Nokogiri users.</p> <p>We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:</p> <ul> <li>Linux: <code>x86-linux</code> and <code>x86_64-linux</code> -- including musl platforms like alpine</li> <li>OSX/Darwin: <code>x86_64-darwin</code> and <code>arm64-darwin</code></li> </ul> <p>We'd appreciate your thoughts and feedback on this work at <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2075">#2075</a>.</p> <h3>Dependencies</h3> <h4>Ruby</h4> <p>This release introduces support for Ruby 2.7 and 3.0 in the precompiled native gems.</p> <p>This release ends support for:</p> <ul> <li>Ruby 2.3, for which <a href="https://www.ruby-lang.org/en/news/2019/03/31/support-of-ruby-2-3-has-ended/">official support ended on 2019-03-31</a> [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1886">#1886</a>] (Thanks <a href="https://github.com/ashmaroli">@ashmaroli</a>!)</li> <li>Ruby 2.4, for which <a href="https://www.ruby-lang.org/en/news/2020/04/05/support-of-ruby-2-4-has-ended/">official support ended on 2020-04-05</a></li> <li>JRuby 9.1, which is the Ruby 2.3-compatible release.</li> </ul> <h4>Gems</h4> <ul> <li>Explicitly add racc as a runtime dependency. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1988">#1988</a>] (Thanks, <a href="https://github.com/voxik">@voxik</a>!)</li> <li>[MRI] Upgrade mini_portile2 dependency from <code>~> 2.4.0</code> to <code>~> 2.5.0</code> [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2005">#2005</a>] (Thanks, <a href="https://github.com/alejandroperea">@alejandroperea</a>!)</li> </ul> <h3>Security</h3> <p>See note below about CVE-2020-26247 in the "Changed" subsection entitled "XML::Schema parsing treats input as untrusted by default".</p> <h3>Added</h3> <ul> <li>Add Node methods for manipulating "keyword attributes" (for example, <code>class</code> and <code>rel</code>): <code>#kwattr_values</code>, <code>#kwattr_add</code>, <code>#kwattr_append</code>, and <code>#kwattr_remove</code>. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2000">#2000</a>]</li> <li>Add support for CSS queries <code>a:has(> b)</code>, <code>a:has(~ b)</code>, and <code>a:has(+ b)</code>. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/688">#688</a>] (Thanks, <a href="https://github.com/jonathanhefner">@jonathanhefner</a>!)</li> <li>Add <code>Node#value?</code> to better match expected semantics of a Hash-like object. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1838">#1838</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1840">#1840</a>] (Thanks, <a href="https://github.com/MatzFan">@MatzFan</a>!)</li> <li>[CRuby] Add <code>Nokogiri::XML::Node#line=</code> for use by downstream libs like nokogumbo. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1918">#1918</a>] (Thanks, <a href="https://github.com/stevecheckoway">@stevecheckoway</a>!)</li> <li><code>nokogiri.gemspec</code> is back after a 10-year hiatus. We still prefer you use the official releases, but master is pretty stable these days, and YOLO.</li> </ul> <h3>Performance</h3> <!-- raw HTML omitted --> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sparklemotion/nokogiri/commit/1c1fba5e34bf620d83e96fb9dcbd7393c05a03e5"><code>1c1fba5</code></a> version bump to v1.11.0</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/c6b17a69d0e685c08016e602e4d5818b16de7eba"><code>c6b17a6</code></a> doc: remove versioning policy from CHANGELOG since it's in README</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/ff14f0647c404cd2674b83702f6f974eb35f9d02"><code>ff14f06</code></a> Create dependabot.yml</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/638ab65fe0244393f73e7f8bb2c29cda63caaa84"><code>638ab65</code></a> doc: tweak logo and "Description" section in README</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/340686b0990e42ccd9d06c0d11198f8df26f69a7"><code>340686b</code></a> ci: move truffleruby jobs to a separate pipeline</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/f6d2742784f93347f4101aeff473a8b34607b594"><code>f6d2742</code></a> ci: update nokogiri master-branch git resource with webhook</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/4b55ecb52ff42169a206156490b58b6979c62fe4"><code>4b55ecb</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2162">#2162</a> from parndt/use-ruby-setup-ruby</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/e6c077266062f0423f951680e15bb1fa188901e6"><code>e6c0772</code></a> Use ruby/setup-ruby action which bundles</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/940823fee6f91fb3b33b29b90444b1623fa2e505"><code>940823f</code></a> ci: update macos builds to install latest bundler</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/0e6ce7c503087cc2795dba20695e969aeeb3beda"><code>0e6ce7c</code></a> gem: fix packaging of native gems without java files</li> <li>Additional commits viewable in <a href="https://github.com/sparklemotion/nokogiri/compare/v1.6.6.2...v1.11.0">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

</details>

+5 -3

0 comment

1 changed file

pr created time in 18 days

create barnchspinecone/new-life

branch : dependabot/bundler/nokogiri-1.11.0

created branch time in 18 days

delete branch spinecone/new-life

delete branch : dependabot/bundler/nokogiri-1.10.8

delete time in 23 days

PR closed spinecone/new-life

[Security] Bump nokogiri from 1.6.6.2 to 1.10.8 dependencies security

Bumps nokogiri from 1.6.6.2 to 1.10.8. This update includes security fixes. <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-5029.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29</strong> nokogiri version 1.7.2 has been released.</p> <p>This is a security update based on 1.7.1, addressing two upstream libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.</p> <p>These patches only apply when using Nokogiri's vendored libxslt package. If you're using your distro's system libraries, there's no need to upgrade from 1.7.0.1 or 1.7.1 at this time.</p> <p>Full details are available at the github issue linked to in the changelog below.</p> <hr /> <h1>1.7.2 / 2017-05-09</h1> <h2>Security Notes</h2> <p>[MRI] Upstream libxslt patches are applied to the vendored libxslt</p> </tr></table> ... (truncated) <p>Patched versions: >= 1.7.2 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-9050.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml 2.9.5.</p> <p>It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663)</p> <p>It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375)</p> <p>It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376)</p> <p>Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially</p> </tr></table> ... (truncated) <p>Patched versions: >= 1.8.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-15412.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6.</p> <p>It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.</p> <p>Patched versions: >= 1.8.2 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-8806.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Denial of service or RCE from libxml2 and libxslt</strong> Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.</p> <p>For more information, the Ubuntu Security Notice is a good start: <a href="http://www.ubuntu.com/usn/usn-2994-1/">http://www.ubuntu.com/usn/usn-2994-1/</a></p> <p>Patched versions: >= 1.6.8 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-16932.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5.</p> <p>Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.</p> <p>Patched versions: >= 1.8.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from The Ruby Advisory Database.</em></p> <blockquote> <p><strong>Nokogiri Command Injection Vulnerability</strong> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's <code>Kernel.open</code> method. Processes are vulnerable only if the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> is being passed untrusted user input.</p> <p>This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.</p> <p>Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> with untrusted user input.</p> <p>Patched versions: >= 1.10.4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file</strong> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's <code>Kernel.open</code> method. Processes are vulnerable only if the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> is being passed untrusted user input.</p> <p>This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.</p> <p>Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> with untrusted user input.</p> <p>Patched versions: >= 1.10.4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-7499.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2</strong> Nokogiri version 1.6.7.2 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE:</p> <p>CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM)</p> <p>Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.</p> <p>libxml2 could be made to crash if it opened a specially crafted file. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.</p> <p>Patched versions: >= 1.6.7.2 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2</strong> Nokogiri version 1.6.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:</p> <p>CVE-2015-5312 CVSS v2 Base Score: 7.1 (HIGH) The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.</p> <p>CVE-2015-7497 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.</p> <p>CVE-2015-7498 CVSS v2 Base Score: 5.0 (MEDIUM)</p> </tr></table> ... (truncated) <p>Patched versions: >= 1.6.7.1 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2016-4658.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2 and libxslt</strong> Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:</p> <p>CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.</p> <p>CVE-2016-5131 CVSS v3 Base Score: 8.8 (HIGH) Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.</p> <p>Patched versions: >= 1.7.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-1819.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2 and libxslt</strong> Several vulnerabilities were discovered in the libxml2 and libxslt libraries that the Nokogiri gem depends on.</p> <p>CVE-2015-1819 A denial of service flaw was found in the way libxml2 parsed XML documents. This flaw could cause an application that uses libxml2 to use an excessive amount of memory.</p> <p>CVE-2015-7941 libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted specially XML data.</p> <p>CVE-2015-7942 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data.</p> <p>CVE-2015-7995</p> </tr></table> ... (truncated) <p>Patched versions: ~> 1.6.6.4; >= 1.6.7.rc4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Revert libxml2 behavior in Nokogiri gem that could cause XSS</strong> [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:</p> <p><a href="https://github.com/GNOME/libxml2/commit/960f0e2">https://github.com/GNOME/libxml2/commit/960f0e2</a></p> <p>and more information is available about this commit and its impact here:</p> <p><a href="https://github-redirect.dependabot.com/flavorjones/loofah/issues/144">flavorjones/loofah#144</a></p> <p>This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities.</p> <p>If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here:</p> <p><a href="https://bugzilla.gnome.org/show_bug.cgi?id=769760">https://bugzilla.gnome.org/show_bug.cgi?id=769760</a></p> <p>Patched versions: >= 1.8.3 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxslt, is affected by multiple vulnerabilities</strong> Nokogiri v1.10.5 has been released.</p> <p>This is a security release. It addresses three CVEs in upstream libxml2, for which details are below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses these vulnerabilities.</p> <p>Full details about the security update are available in Github Issue [#1943] <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1943">sparklemotion/nokogiri#1943</a>.</p> <hr /> <p>CVE-2019-13117</p> <p><a href="https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html">https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html</a></p> </tr></table> ... (truncated) <p>Patched versions: >= 1.10.5 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-7553-jr98-vx47">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects nokogiri</strong> xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched it's vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.</p> <p>Affected versions: < 1.10.8</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-14404.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</strong> Nokogiri 1.8.5 has been released.</p> <p>This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p> <p>Full details about the security update are available in Github Issue #1785. [#1785]: <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785">sparklemotion/nokogiri#1785</a></p> <hr /> <p>[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p> </tr></table> ... (truncated) <p>Patched versions: >= 1.8.5 Unaffected versions: none</p> </blockquote> <p><em>Sourced from The GitHub Security Advisory Database.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects nokogiri</strong> The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.</p> <p>Affected versions: < 1.8.2</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-11068.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxslt, is affected by improper access control vulnerability</strong> Nokogiri v1.10.3 has been released.</p> <p>This is a security release. It addresses a CVE in upstream libxslt rated as "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More details are available below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.</p> <p>Full details about the security update are available in Github Issue [#1892] <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1892">sparklemotion/nokogiri#1892</a>.</p> <hr /> <p>CVE-2019-11068</p> <p>Permalinks are:</p> </tr></table> ... (truncated) <p>Patched versions: >= 1.10.3 Unaffected versions: none</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>1.10.8 / 2020-02-10</h2> <h3>Security</h3> <p>[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1992">#1992</a>. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.</p> <h2>1.10.7 / 2019-12-03</h2> <h3>Bug</h3> <ul> <li>[MRI] Ensure the patch applied in v1.10.6 works with GNU <code>patch</code>. <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1954">#1954</a></li> </ul> <h2>1.10.6 / 2019-12-03</h2> <h3>Bug</h3> <ul> <li>[MRI] Fix FreeBSD installation of vendored libxml2. [#1941, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1953">#1953</a>] (Thanks, <a href="https://github.com/nurse">@nurse</a>!)</li> </ul> <h2>1.10.5 / 2019-10-31</h2> <h3>Dependencies</h3> <ul> <li>[MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10</li> <li>[MRI] vendored libxslt is updated from 1.1.33 to 1.1.34</li> </ul> <h2>1.10.4 / 2019-08-11</h2> <h3>Security</h3> <h4>Address CVE-2019-5477 (<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915">#1915</a>)</h4> <p>A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's <code>Kernel.open</code> method. Processes are vulnerable only if the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> is being passed untrusted user input.</p> <p>This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.</p> <p>This CVE's public notice is <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915">sparklemotion/nokogiri#1915</a></p> <h2>1.10.3 / 2019-04-22</h2> <h3>Security Notes</h3> </tr></table> ... (truncated) </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>1.10.8 / 2020-02-10</h2> <h3>Security</h3> <p>[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1992">#1992</a>. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.</p> <h2>1.10.7 / 2019-12-03</h2> <h3>Fixed</h3> <ul> <li>[MRI] Ensure the patch applied in v1.10.6 works with GNU <code>patch</code>. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1954">#1954</a>]</li> </ul> <h2>1.10.6 / 2019-12-03</h2> <h3>Fixed</h3> <ul> <li>[MRI] Fix FreeBSD installation of vendored libxml2. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1941">#1941</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1953">#1953</a>] (Thanks, <a href="https://github.com/nurse">@nurse</a>!)</li> </ul> <h2>1.10.5 / 2019-10-31</h2> <h3>Security</h3> <p>[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:</p> <ul> <li>CVE-2019-13117</li> <li>CVE-2019-13118</li> <li>CVE-2019-18197</li> <li>CVE-2019-19956</li> </ul> <p>More details are available at <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1943">#1943</a>.</p> <h3>Dependencies</h3> <ul> <li>[MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10</li> <li>[MRI] vendored libxslt is updated from 1.1.33 to 1.1.34</li> </ul> <h2>1.10.4 / 2019-08-11</h2> <h3>Security</h3> <p>Address CVE-2019-5477 (<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915">#1915</a>).</p> <p>A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's <code>Kernel.open</code> method. Processes are vulnerable only if the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> is being passed untrusted user input.</p> <p>This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.</p> </tr></table> ... (truncated) </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sparklemotion/nokogiri/commit/6ce10d15d7af6ad65813a495eaf168f73eba211c"><code>6ce10d1</code></a> version bump to v1.10.8</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/2320f5bd6319dca9c68d85bbf41629bbf8052a49"><code>2320f5b</code></a> update CHANGELOG for v1.10.8</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/4a77fdb789aefed7ca65c7c7f57ad4dca0d3b209"><code>4a77fdb</code></a> remove patches from the hoe Manifest</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/570b6cbc5fbc5ee7ef969332c587b951ae35bcd0"><code>570b6cb</code></a> update to use rake-compiler ~1.1.0</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/2cdb68e95aa075ac36a08d4d82d9b410a950a051"><code>2cdb68e</code></a> backport libxml2 patch for CVE-2020-7595</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/e6b3229ec53ddf70f1d198bba0d3fc13fde842a8"><code>e6b3229</code></a> version bump to v1.10.7</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/4f9d443c2fddc40eefec3366000861433aff6179"><code>4f9d443</code></a> update CHANGELOG</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/80e67ef636ce0ddd55a4a7578d7bbdb186002560"><code>80e67ef</code></a> Fix the patch from <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1953">#1953</a> to work with both <code>git</code> and <code>patch</code></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7cf1b85a5f8033252e55844ab2765e8f612d4d89"><code>7cf1b85</code></a> Fix typo in generated metadata</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/d76180d0d26a7afb76d84e0de2550ac3bb6abb15"><code>d76180d</code></a> add gem metadata</li> <li>Additional commits viewable in <a href="https://github.com/sparklemotion/nokogiri/compare/v1.6.6.2...v1.10.8">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

</details>

+3 -3

1 comment

1 changed file

dependabot-preview[bot]

pr closed time in 23 days

pull request commentspinecone/new-life

[Security] Bump nokogiri from 1.6.6.2 to 1.10.8

Superseded by #30.

dependabot-preview[bot]

comment created time in 23 days

PR opened spinecone/new-life

[Security] Bump nokogiri from 1.6.6.2 to 1.10.10

Bumps nokogiri from 1.6.6.2 to 1.10.10. This update includes security fixes. <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-5029.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29</strong> nokogiri version 1.7.2 has been released.</p> <p>This is a security update based on 1.7.1, addressing two upstream libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.</p> <p>These patches only apply when using Nokogiri's vendored libxslt package. If you're using your distro's system libraries, there's no need to upgrade from 1.7.0.1 or 1.7.1 at this time.</p> <p>Full details are available at the github issue linked to in the changelog below.</p> <hr /> <h1>1.7.2 / 2017-05-09</h1> <h2>Security Notes</h2> <p>[MRI] Upstream libxslt patches are applied to the vendored libxslt</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.7.2 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-9050.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml 2.9.5.</p> <p>It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663)</p> <p>It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375)</p> <p>It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376)</p> <p>Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.8.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-15412.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6.</p> <p>It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.</p> <p>Patched versions: >= 1.8.2 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-8806.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Denial of service or RCE from libxml2 and libxslt</strong> Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.</p> <p>For more information, the Ubuntu Security Notice is a good start: <a href="http://www.ubuntu.com/usn/usn-2994-1/">http://www.ubuntu.com/usn/usn-2994-1/</a></p> <p>Patched versions: >= 1.6.8 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-16932.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml, is affected by DoS vulnerabilities</strong> The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5.</p> <p>Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.</p> <p>Patched versions: >= 1.8.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from The Ruby Advisory Database.</em></p> <blockquote> <p><strong>Nokogiri Command Injection Vulnerability</strong> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's <code>Kernel.open</code> method. Processes are vulnerable only if the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> is being passed untrusted user input.</p> <p>This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.</p> <p>Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> with untrusted user input.</p> <p>Patched versions: >= 1.10.4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file</strong> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's <code>Kernel.open</code> method. Processes are vulnerable only if the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> is being passed untrusted user input.</p> <p>This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.</p> <p>Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method <code>Nokogiri::CSS::Tokenizer#load_file</code> with untrusted user input.</p> <p>Patched versions: >= 1.10.4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-7499.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2</strong> Nokogiri version 1.6.7.2 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE:</p> <p>CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM)</p> <p>Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.</p> <p>libxml2 could be made to crash if it opened a specially crafted file. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.</p> <p>Patched versions: >= 1.6.7.2 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2</strong> Nokogiri version 1.6.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:</p> <p>CVE-2015-5312 CVSS v2 Base Score: 7.1 (HIGH) The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.</p> <p>CVE-2015-7497 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.</p> <p>CVE-2015-7498 CVSS v2 Base Score: 5.0 (MEDIUM)</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.6.7.1 Unaffected versions: < 1.6.0</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2016-4658.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2 and libxslt</strong> Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:</p> <p>CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.</p> <p>CVE-2016-5131 CVSS v3 Base Score: 8.8 (HIGH) Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.</p> <p>Patched versions: >= 1.7.1 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-1819.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem contains several vulnerabilities in libxml2 and libxslt</strong> Several vulnerabilities were discovered in the libxml2 and libxslt libraries that the Nokogiri gem depends on.</p> <p>CVE-2015-1819 A denial of service flaw was found in the way libxml2 parsed XML documents. This flaw could cause an application that uses libxml2 to use an excessive amount of memory.</p> <p>CVE-2015-7941 libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted specially XML data.</p> <p>CVE-2015-7942 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data.</p> <p>CVE-2015-7995</p> <!-- raw HTML omitted --> <p>Patched versions: ~> 1.6.6.4; >= 1.6.7.rc4 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Revert libxml2 behavior in Nokogiri gem that could cause XSS</strong> [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:</p> <p><a href="https://github.com/GNOME/libxml2/commit/960f0e2">https://github.com/GNOME/libxml2/commit/960f0e2</a></p> <p>and more information is available about this commit and its impact here:</p> <p><a href="https://github-redirect.dependabot.com/flavorjones/loofah/issues/144">flavorjones/loofah#144</a></p> <p>This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities.</p> <p>If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here:</p> <p><a href="https://bugzilla.gnome.org/show_bug.cgi?id=769760">https://bugzilla.gnome.org/show_bug.cgi?id=769760</a></p> <p>Patched versions: >= 1.8.3 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxslt, is affected by multiple vulnerabilities</strong> Nokogiri v1.10.5 has been released.</p> <p>This is a security release. It addresses three CVEs in upstream libxml2, for which details are below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses these vulnerabilities.</p> <p>Full details about the security update are available in Github Issue [#1943] <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1943">sparklemotion/nokogiri#1943</a>.</p> <hr /> <p>CVE-2019-13117</p> <p><a href="https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html">https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html</a></p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.10.5 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-7553-jr98-vx47">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects nokogiri</strong> xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched it's vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.</p> <p>Affected versions: < 1.10.8</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-7595.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>libxml2 2.9.10 has an infinite loop in a certain end-of-file situation</strong> Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8</p> <p>CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.</p> <p>Patched versions: >= 1.10.8 Unaffected versions: none</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-14404.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</strong> Nokogiri 1.8.5 has been released.</p> <p>This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p> <p>Full details about the security update are available in Github Issue #1785. [#1785]: <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785">sparklemotion/nokogiri#1785</a></p> <hr /> <p>[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.8.5 Unaffected versions: none</p> </blockquote> <p><em>Sourced from The GitHub Security Advisory Database.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects nokogiri</strong> The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.</p> <p>Affected versions: < 1.8.2</p> </blockquote> <p><em>Sourced from <a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-11068.yml">The Ruby Advisory Database</a>.</em></p> <blockquote> <p><strong>Nokogiri gem, via libxslt, is affected by improper access control vulnerability</strong> Nokogiri v1.10.3 has been released.</p> <p>This is a security release. It addresses a CVE in upstream libxslt rated as "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More details are available below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.</p> <p>Full details about the security update are available in Github Issue [#1892] <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1892">sparklemotion/nokogiri#1892</a>.</p> <hr /> <p>CVE-2019-11068</p> <p>Permalinks are:</p> <!-- raw HTML omitted --> <p>Patched versions: >= 1.10.3 Unaffected versions: none</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>1.10.10 / 2020-07-06</h2> <h3>Features</h3> <ul> <li>[MRI] Cross-built Windows gems now support Ruby 2.7 [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2029">#2029</a>]. Note that prior to this release, the v1.11.x prereleases provided this support.</li> </ul> <h2>1.10.9 / 2020-03-01</h2> <h3>Fixed</h3> <ul> <li>[MRI] Raise an exception when Nokogiri detects a specific libxml2 edge case involving blank Schema nodes wrapped by Ruby objects that would cause a segfault. Currently no fix is available upstream, so we're preventing a dangerous operation and informing users to code around it if possible. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1985">#1985</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2001">#2001</a>]</li> <li>[JRuby] Change <code>NodeSet#to_a</code> to return a RubyArray instead of Object, for compilation under JRuby 9.2.9 and later. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1968">#1968</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1969">#1969</a>] (Thanks, <a href="https://github.com/headius">@headius</a>!)</li> </ul> <h2>1.10.8 / 2020-02-10</h2> <h3>Security</h3> <p>[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1992">#1992</a>. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.</p> <h2>1.10.7 / 2019-12-03</h2> <h3>Bug</h3> <ul> <li>[MRI] Ensure the patch applied in v1.10.6 works with GNU <code>patch</code>. <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1954">#1954</a></li> </ul> <h2>1.10.6 / 2019-12-03</h2> <h3>Bug</h3> <ul> <li>[MRI] Fix FreeBSD installation of vendored libxml2. [#1941, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1953">#1953</a>] (Thanks, <a href="https://github.com/nurse">@nurse</a>!)</li> </ul> <h2>1.10.5 / 2019-10-31</h2> <h3>Dependencies</h3> <ul> <li>[MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10</li> <li>[MRI] vendored libxslt is updated from 1.1.33 to 1.1.34</li> </ul> <h2>1.10.4 / 2019-08-11</h2> <!-- raw HTML omitted --> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>1.10.10 / 2020-07-06</h2> <h3>Features</h3> <ul> <li>[MRI] Cross-built Windows gems now support Ruby 2.7 [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2029">#2029</a>]. Note that prior to this release, the v1.11.x prereleases provided this support.</li> </ul> <h2>1.10.9 / 2020-03-01</h2> <h3>Fixed</h3> <ul> <li>[MRI] Raise an exception when Nokogiri detects a specific libxml2 edge case involving blank Schema nodes wrapped by Ruby objects that would cause a segfault. Currently no fix is available upstream, so we're preventing a dangerous operation and informing users to code around it if possible. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1985">#1985</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2001">#2001</a>]</li> <li>[JRuby] Change <code>NodeSet#to_a</code> to return a RubyArray instead of Object, for compilation under JRuby 9.2.9 and later. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1968">#1968</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1969">#1969</a>] (Thanks, <a href="https://github.com/headius">@headius</a>!)</li> </ul> <h2>1.10.8 / 2020-02-10</h2> <h3>Security</h3> <p>[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1992">#1992</a>. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.</p> <h2>1.10.7 / 2019-12-03</h2> <h3>Fixed</h3> <ul> <li>[MRI] Ensure the patch applied in v1.10.6 works with GNU <code>patch</code>. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1954">#1954</a>]</li> </ul> <h2>1.10.6 / 2019-12-03</h2> <h3>Fixed</h3> <ul> <li>[MRI] Fix FreeBSD installation of vendored libxml2. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1941">#1941</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1953">#1953</a>] (Thanks, <a href="https://github.com/nurse">@nurse</a>!)</li> </ul> <h2>1.10.5 / 2019-10-31</h2> <h3>Security</h3> <p>[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:</p> <ul> <li>CVE-2019-13117</li> <li>CVE-2019-13118</li> <li>CVE-2019-18197</li> <li>CVE-2019-19956</li> </ul> <p>More details are available at <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1943">#1943</a>.</p> <!-- raw HTML omitted --> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sparklemotion/nokogiri/commit/a9a3717154bdb99ed6d0d785736eb471c9d6a954"><code>a9a3717</code></a> version bump to v1.10.10</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/d2d3c18a6c2db5b448381573c1248fe480198003"><code>d2d3c18</code></a> update CHANGELOG for v1.10.10</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/f0c324c1d93a2880a32dc46cf8766ff132409806"><code>f0c324c</code></a> Merge branch '2029-windows-support-for-ruby-27-on-v110x' into v1.10.x</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/c39e1b082e73557207db1468e4b567727a384579"><code>c39e1b0</code></a> Support fat binary gems for ruby-2.7</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/90916022e38fd48c3a9e3763b0f47f834261d399"><code>9091602</code></a> ci: only manage the v1.10.x pipeline on this branch</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/e2e191de387f854619bc8a3f9b39ca687fe0bf31"><code>e2e191d</code></a> version bump to v1.10.9</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/50f8fdeae4afb8582ff6347d7aa17822a1e11242"><code>50f8fde</code></a> update CHANGELOG</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/9b5deef76aeb5e3868cafb0b0956cca3708136f3"><code>9b5deef</code></a> Change return type to RubyArray</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/ae054f750283dccb1454d71dc00d0343dc2b1c60"><code>ae054f7</code></a> update CHANGELOG for <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1985">#1985</a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/71bcaf0bb1351c09e48f41f10314cb35bb4a4db4"><code>71bcaf0</code></a> Work around a bug in libxml2</li> <li>Additional commits viewable in <a href="https://github.com/sparklemotion/nokogiri/compare/v1.6.6.2...v1.10.10">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

</details>

+3 -3

0 comment

1 changed file

pr created time in 23 days

create barnchspinecone/new-life

branch : dependabot/bundler/nokogiri-1.10.10

created branch time in 23 days

PR opened CSC322-Grinnell/anti-racism-library

Bump ini from 1.3.5 to 1.3.8

Bumps ini from 1.3.5 to 1.3.8. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/npm/ini/commit/a2c5da86604bc2238fe393c5ff083bf23a9910eb"><code>a2c5da8</code></a> 1.3.8</li> <li><a href="https://github.com/npm/ini/commit/af5c6bb5dca6f0248c153aa87e25bddfc515ff6e"><code>af5c6bb</code></a> Do not use Object.create(null)</li> <li><a href="https://github.com/npm/ini/commit/8b648a1ac49e1b3b7686ea957e0b95e544bc6ec1"><code>8b648a1</code></a> don't test where our devdeps don't even work</li> <li><a href="https://github.com/npm/ini/commit/c74c8af35f32b801a7e82a8309eab792a95932f6"><code>c74c8af</code></a> 1.3.7</li> <li><a href="https://github.com/npm/ini/commit/024b8b55ac1c980c6225607b007714c54eb501ba"><code>024b8b5</code></a> update deps, add linting</li> <li><a href="https://github.com/npm/ini/commit/032fbaf5f0b98fce70c8cc380e0d05177a9c9073"><code>032fbaf</code></a> Use Object.create(null) to avoid default object property hazards</li> <li><a href="https://github.com/npm/ini/commit/2da90391ef70db41d10f013e3a87f9a8c5d01a72"><code>2da9039</code></a> 1.3.6</li> <li><a href="https://github.com/npm/ini/commit/cfea636f534b5ca7550d2c28b7d1a95d936d56c6"><code>cfea636</code></a> better git push script, before publish instead of after</li> <li><a href="https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"><code>56d2805</code></a> do not allow invalid hazardous string as section name</li> <li>See full diff in <a href="https://github.com/isaacs/ini/compare/v1.3.5...v1.3.8">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for ini since your current version.</p> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+6 -6

0 comment

2 changed files

pr created time in a month

push eventCSC322-Grinnell/anti-racism-library

Christa

commit sha 40bad5f12f82791e0b505d4344ead971a0ea7750

Update README.md

view details

Christa

commit sha 95b190787122950f7eaca194608a30f84cb53417

Merge pull request #58 from CSC322-Grinnell/update-readme Update README.md

view details

push time in a month

PR opened CSC322-Grinnell/anti-racism-library

Update README.md

updated readme

+6 -9

0 comment

1 changed file

pr created time in a month

create barnchCSC322-Grinnell/anti-racism-library

branch : update-readme

created branch time in a month

delete branch CSC322-Grinnell/anti-racism-library

delete branch : christa/ui-changes

delete time in a month

push eventCSC322-Grinnell/anti-racism-library

quang1610

commit sha 804a18dea8901513f21371502a3a56a701403e00

fixing migrate files

view details

quang1610

commit sha 9795454a8abc369b6fc75935410812a6fb503ce8

fixing migrate files

view details

quang1610

commit sha a29d7e286d770b01e8e2c3c2dae67d6caa7036c5

clean up mirgrate file to avoid error on heroku

view details

quang1610

commit sha 7c4f2e0e20a5aa4c8a5af85b2e385d1a6a380a0c

clean up mirgrate file to avoid error on heroku, and clean 1 UI bug

view details

quang1610

commit sha 39dd1af4c8965d688c0d20d674322ce23a75c465

clean up mirgrate file to avoid error on heroku, and clean 1 UI bug

view details

Quang Nguyen

commit sha 93b2c6f6626ab64f108a1674776d996e96b42afc

Merge pull request #57 from CSC322-Grinnell/quang/minor-fix-UI-and-migrate Quang/minor fix UI and migrate

view details

push time in a month

PR merged CSC322-Grinnell/anti-racism-library

Reviewers
Quang/minor fix UI and migrate

This PR fixes 2 things:

  • Missing </div> in admin_index.html.erb.
  • Redundant migrate file that handle remove status from item. I also fix create item migrate file that cause bug when run a clean db:migrate on heroku.
+4 -8

0 comment

4 changed files

quangngn

pr closed time in a month

PR opened CSC322-Grinnell/anti-racism-library

Reviewers
Quang/minor fix UI and migrate

This PR fixes 2 things:

  • Missing </div> in admin_index.html.erb.
  • Redundant migrate file that handle remove status from item. I also fix create item migrate file that cause bug when run a clean db:migrate on heroku.
+4 -8

0 comment

4 changed files

pr created time in a month

delete branch CSC322-Grinnell/anti-racism-library

delete branch : quang/admin-page

delete time in a month

delete branch CSC322-Grinnell/anti-racism-library

delete branch : quang/clean-migrate-files

delete time in a month

push eventCSC322-Grinnell/anti-racism-library

quang1610

commit sha 0a24367627114d7e2d45e6443255bd60043188ac

clean up mirgrate file to avoid error on heroku, and clean 1 UI bug

view details

push time in a month

create barnchCSC322-Grinnell/anti-racism-library

branch : quang/clean-migrate-files

created branch time in a month

push eventCSC322-Grinnell/anti-racism-library

Haakon Larsen

commit sha 2ad5fe86c30f9681482d586a7864b451b647c1d1

small tiny title change

view details

Quang Nguyen

commit sha 6a039e8994371272339f161725f29312bd46097c

Merge pull request #56 from CSC322-Grinnell/haakon/tiny_index_fix small tiny title change

view details

push time in a month

PR merged CSC322-Grinnell/anti-racism-library

Reviewers
small tiny title change

Summary:

We changed the index.html.erb and admin_index.html.erb files so that they would not have 2 titles for the demo video, but did not commit those changes yet.

Expectation:

These changes should update the resource page and the administration page so that they have 1 title each.

Tests:

+31 -7

0 comment

3 changed files

HaKahn17

pr closed time in a month

PR opened CSC322-Grinnell/anti-racism-library

small tiny title change

Summary:

We changed the index.html.erb and admin_index.html.erb files so that they would not have 2 titles for the demo video, but did not commit those changes yet.

Expectation:

These changes should update the resource page and the administration page so that they have 1 title each.

Tests:

+31 -7

0 comment

3 changed files

pr created time in a month

create barnchCSC322-Grinnell/anti-racism-library

branch : haakon/tiny_index_fix

created branch time in a month

delete branch CSC322-Grinnell/anti-racism-library

delete branch : haakon/filter_backend

delete time in a month

more