Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch for CVE-2022-29181 and CVS-2022-24836 #13398

Merged
merged 1 commit into from Dec 12, 2022
Merged

Patch for CVE-2022-29181 and CVS-2022-24836 #13398

merged 1 commit into from Dec 12, 2022

Conversation

tpowell-progress
Copy link
Contributor

Description

Current Nokogiri version (in omnibus_overrides.rb) is 1.13.1 which contains the following vulnerabilities.

CVE-2022-29181

CVE-2022-24836

Upgrade to at least 1.13.6 per CVE-2022-29181’s remediation/description:

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String by calling #to_s or equivalent.

Related Issue

INFC-369 (Patch for Nokogiri CVEs for Chef 18.1 Release)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@tpowell-progress tpowell-progress requested review from a team as code owners December 2, 2022 13:25
@tpowell-progress
Patch for CVE-2022-29181 and CVS-2022-24836
4885383 
Signed-off-by: Thomas Powell <powell@progress.com>
@tpowell-progress tpowell-progress force-pushed the tp/INFC-369-nokogiri-bump-to-1.13.6 branch from e09db57 to 4885383 Compare December 12, 2022 21:06
@sonarcloud
Copy link

sonarcloud bot commented Dec 12, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@tpowell-progress tpowell-progress merged commit f532bbe into main Dec 12, 2022
@tpowell-progress tpowell-progress deleted the tp/INFC-369-nokogiri-bump-to-1.13.6 branch December 12, 2022 21:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnmccrae johnmccrae johnmccrae approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tpowell-progress @johnmccrae