[Security] Bump nokogiri from 1.8.4 to 1.8.5 by greysteil · Pull Request #3080 · catarse/catarse

greysteil · 2018-10-05T09:09:51Z

Bumps nokogiri from 1.8.4 to 1.8.5. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Nokogiri 1.8.5 has been released.

This is a security and bugfix release. It addresses two CVEs in upstream
libxml2 rated as "medium" by Red Hat, for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that these patches are not
yet (as of 2018-10-04) in an upstream release of libxml2.

Full details about the security update are available in Github Issue #1785.
[#1785]: https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404
and CVE-2018-14567. Full details are available in #1785. Note that these
patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
... (truncated)
Patched versions: >= 1.8.5
Unaffected versions: none

Changelog

Sourced from nokogiri's changelog.

1.8.5 / 2018-10-04

Security Notes

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

Bug fixes

[MRI] Fix regression in installation when building against system libraries, where some systems would not be able to find libxml2 or libxslt when present. (Regression introduced in v1.8.3.) [removing span and making button large #1722]

[JRuby] Fix node reparenting when the destination doc is empty. [Adds reverse index on payments to accelerate default query on new admin #1773]

Commits

e28fa4b version bump to v1.8.5
712edef update changelog
7feb4c1 Merge branch 'fix-1773'
7cc6cf6 Organize imports in XmlNode.java.
1697442 Allow reparenting nodes to be a child of an empty document.
7b8cd0f Merge pull request #1786 from sparklemotion/1785-canonical-usns
5bff4bb pull in upstream libxml2 patches
c232226 changelog
862b88f changelog
b3750eb remove -Wextra CFLAG
Additional commits viewable in compare view

Another insecure dependency fix.

Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.8.4 to 1.8.5. **This update includes security fixes.** - [Release notes](https://github.com/sparklemotion/nokogiri/releases) - [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md) - [Commits](sparklemotion/nokogiri@v1.8.4...v1.8.5) Signed-off-by: dependabot[bot] <support@dependabot.com>

greysteil · 2018-10-30T13:37:40Z

Hey folks, anything you need from me to get this merged?

I just got an alert that this repo is also affected by the Loofah vulnerability just announced, but it looks like you're not keen on merging dependency update PRs?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Bump nokogiri from 1.8.4 to 1.8.5#3080

[Security] Bump nokogiri from 1.8.4 to 1.8.5#3080
greysteil wants to merge 1 commit intocatarse:developfrom
greysteil:dependabot/bundler/nokogiri-1.8.5

greysteil commented Oct 5, 2018

Uh oh!

greysteil commented Oct 30, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

greysteil commented Oct 5, 2018

1.8.5 / 2018-10-04

Security Notes

Bug fixes

Uh oh!

greysteil commented Oct 30, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants