Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force update gem nokogiri to '1.11.0.rc4' #1532

Merged
merged 1 commit into from Dec 31, 2020
Merged

Force update gem nokogiri to '1.11.0.rc4' #1532

merged 1 commit into from Dec 31, 2020

Conversation

david-a-wheeler
Copy link
Collaborator

This counters CVE-2020-26247,
"XML::Schema input is now "untrusted" by default".
For more information, see:
GHSA-vr8q-g5c7-m54m

This is debatable. We are almost certainly not vulnerable, because we
never use Nokogiri's XML Schema system. In addition, this recommended
fix uses a release candidate version of a library, instead of a final
release, and we generally avoid doing that. However, it's hard to be
certain that there's no exploit, and this release candidate
appears to be very solid for our purposes. I think there
are good arguments to use this nokogiri release candidate, and that there
are also good reasons not to use it. Sadly I must make some decision;
no decision is a decision. I've made a judgement call to
use the release candidate version with the security update.
I think the risk is smallest if we upgrade now for this specific case.

Signed-off-by: David A. Wheeler dwheeler@dwheeler.com

@david-a-wheeler
Force update gem nokogiri to '1.11.0.rc4'
bff44bc 
This counters CVE-2020-26247,
"XML::Schema input is now "untrusted" by default".
For more information, see:
GHSA-vr8q-g5c7-m54m

This is debatable. We are almost certainly *not* vulnerable, because we
never use Nokogiri's XML Schema system. In addition, this recommended
fix uses a *release candidate* version of a library, instead of a final
release, and we generally avoid doing that. However, it's hard to be
*certain* that there's no exploit, and this release candidate
appears to be very solid for our purposes. I think there
are good arguments to *use* this nokogiri release candidate, and that there
are also good reasons *not* to use it. Sadly I must make *some* decision;
no decision is a decision. I've made a judgement call to
use the release candidate version with the security update.
I think the risk is smallest if we upgrade now for this specific case.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
@david-a-wheeler
Copy link
Collaborator Author

@jdossett - I intend to merge this soon.

@codecov
Copy link

codecov bot commented Dec 30, 2020
edited

Codecov Report

Merging #1532 (bff44bc) into master (f54ed92) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##            master     #1532   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           52        52           
  Lines         1891      1891           
=========================================
  Hits          1891      1891

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f54ed92...bff44bc. Read the comment docs.

@david-a-wheeler david-a-wheeler merged commit a4351bf into master Dec 31, 2020
@david-a-wheeler david-a-wheeler deleted the nokogiri_1_11_0_rc4 branch December 31, 2020 20:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@david-a-wheeler