[Security] Bump loofah from 2.2.2 to 2.2.3 #455

greysteil · 2018-10-30T14:11:53Z

Bumps loofah from 2.2.2 to 2.2.3. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Loofah XSS Vulnerability
In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Patched versions: >= 2.2.3
Unaffected versions: none

Release notes

Sourced from loofah's releases.

v2.2.3

Notably, this release addresses CVE-2018-16468.

Changelog

Sourced from loofah's changelog.

2.2.3 / 2018-10-30

Security

Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at https://github-redirect.dependabot.com/flavorjones/loofah/issues/154

Meta / 2018-10-27

The mailing list is now on Google Groups #146:

Mail: loofah-talk@googlegroups.com

Archive: https://groups.google.com/forum/#!forum/loofah-talk

This change was made because librelist no longer appears to be maintained.

Commits

cb3dbfa version bump to v2.2.3 and update CHANGELOG
71e4b54 remove the svg animate attribute from from the allowlist
3556e2b add formatting to CHANGELOG
ac7c50d updated mailing list to a new Google Group
de6b0f3 extract msword html data into an asset file
See full diff in compare view

Would still love you to use Dependabot on this repo - it's free and will make your life better, I promise! You'd also be helping us help the community, because it would let us feed back any bugs your test suite surfaces to maintainers.

Bumps [loofah](https://github.com/flavorjones/loofah) from 2.2.2 to 2.2.3. **This update includes security fixes.** - [Release notes](https://github.com/flavorjones/loofah/releases) - [Changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md) - [Commits](flavorjones/loofah@v2.2.2...v2.2.3) Signed-off-by: dependabot[bot] <support@dependabot.com>

coveralls · 2018-10-30T14:27:04Z