-
-
Notifications
You must be signed in to change notification settings - Fork 901
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: applying patches from USN-3235-1 #1615
Comments
which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information
Temporary test pipeline is up at https://ci.nokogiri.org/teams/nokogiri-core/pipelines/nokogiri?groups=USN-3235-1 Note that the patch for CVE-2016-4658 breaks a test: https://ci.nokogiri.org/teams/nokogiri-core/pipelines/nokogiri/jobs/USN-3235-1/builds/1
which is ... unexpected. Looking into it. |
GNOME/libxml2@a005199 alters the return value in this edge case. See #1615 for more background on this libxml2 commit, which was pulled in by Canonical to address CVE-2016-5131, which is mildly mysterious.
GNOME/libxml2@a005199 alters the return value in this edge case. See #1615 for more background on this libxml2 commit, which was pulled in by Canonical to address CVE-2016-5131, which is mildly mysterious.
which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information
Failure isn't meaningful, skipping it. See 4574bae. |
GNOME/libxml2@a005199 alters the return value in this edge case. See #1615 for more background on this libxml2 commit, which was pulled in by Canonical to address CVE-2016-5131, which is mildly mysterious.
which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information
Ready to cut 1.7.1, will wait until tomorrow, though. https://ci.nokogiri.org/teams/nokogiri-core/pipelines/nokogiri/jobs/1.7.1-rc/builds/2 |
OK, shipping it. |
Delayed slightly by the fact that zlib 1.2.8 is no longer downloadable (which is used for windows devkit builds); need to upgrade to zlib 1.2.11. |
GNOME/libxml2@a005199 alters the return value in this edge case. See #1615 for more background on this libxml2 commit, which was pulled in by Canonical to address CVE-2016-5131, which is mildly mysterious.
which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information
which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information
# 1.7.1 / unreleased ## Security Notes [MRI] Upstream libxml2 patches are applied to the vendored libxml 2.9.4 which address CVE-2016-4658 and CVE-2016-5131. For more information: * sparklemotion/nokogiri#1615 * http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4658.html * http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5131.html ## Dependencies * [Windows] Upgrade zlib from 1.2.8 to 1.2.11 (unless --use-system-libraries)
1.7.1 has a fix for this vulnerability: sparklemotion/nokogiri#1615
Allows users to upgrade Nokogiri to 1.7.x to protect themselves from CVE-2016-4658: sparklemotion/nokogiri#1615
Nokogiri 1.7.1 was released to address security issues: sparklemotion/nokogiri#1615
which address CVE-2016-4658 and CVE-2016-5131. see sparklemotion#1615 for more information
This was a vulnerability: sparklemotion/nokogiri#1615 By updating rails, that updated other dependencies and along with it nokogiri which removed the vulnerability.
* Update Nokogiri to v1.8.0 Addresses security vulnerability: - [nokogiri issue 1615](sparklemotion/nokogiri#1615) - [nokogiri issue 1634](sparklemotion/nokogiri#1634)
* Travis is failing because ruby-advisory-db warning say nokogiri is out of date and has vulnerabilities. sparklemotion/nokogiri#1615 sparklemotion/nokogiri#1634 sparklemotion/nokogiri#1473 * Also updated capybara-webkit which uses nokogiri
which address CVE-2016-4658 and CVE-2016-5131. see sparklemotion#1615 for more information
GNOME/libxml2@a005199 alters the return value in this edge case. See sparklemotion#1615 for more background on this libxml2 commit, which was pulled in by Canonical to address CVE-2016-5131, which is mildly mysterious.
* Maybe I should write a script to automatically update nokogiri :) ruby-advisory-db: 288 advisories Name: nokogiri Version: 1.7.0.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.7.0.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Name: nokogiri Version: 1.7.0.1 Advisory: CVE-2017-9050 Criticality: Unknown URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1
Name: actionview Version: 4.2.6 Advisory: CVE-2016-6316 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk Title: Possible XSS Vulnerability in Action View Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1 Name: activerecord Version: 4.2.6 Advisory: CVE-2016-6317 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s Title: Unsafe Query Generation Risk in Active Record Solution: upgrade to >= 4.2.7.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2017-9050 URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2016-4658 URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2015-8806 URL: sparklemotion/nokogiri#1473 Title: Denial of service or RCE from libxml2 and libxslt Solution: upgrade to >= 1.6.8 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2017-5029 URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2
Note that this upgrade changes minimum required ruby version from 1.9.3-p551 to 2.1.8. ``` $ bundle audit check Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Vulnerabilities found! ```
Note that this upgrade changes minimum required ruby version from 1.9.3-p551 to 2.1.8. ``` $ bundle audit check Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Vulnerabilities found! ```
Earlier versions of Nokogiri have security issues as follows: [CVE-2016-4658](sparklemotion/nokogiri#1615) [CVE-2017-5029](sparklemotion/nokogiri#1634) [CVE-2017-9050](sparklemotion/nokogiri#1673) [CVE-2017-16932](sparklemotion/nokogiri#1714) [CVE-2017-15412](sparklemotion/nokogiri#1714)
Earlier versions of Nokogiri have security issues as follows: [CVE-2016-4658](sparklemotion/nokogiri#1615) [CVE-2017-5029](sparklemotion/nokogiri#1634) [CVE-2017-9050](sparklemotion/nokogiri#1673) [CVE-2017-16932](sparklemotion/nokogiri#1714) [CVE-2017-15412](sparklemotion/nokogiri#1714)
Earlier versions of Nokogiri have security issues as follows: [CVE-2016-4658](sparklemotion/nokogiri#1615) [CVE-2017-5029](sparklemotion/nokogiri#1634) [CVE-2017-9050](sparklemotion/nokogiri#1673) [CVE-2017-16932](sparklemotion/nokogiri#1714) [CVE-2017-15412](sparklemotion/nokogiri#1714)
Updated 'deface' to update 'nokogiri' dependency gem after vulnerability checks with 'audit': Nokogiri gem contains several vulnerabilities in libxml2 and libxslt. sparklemotion/nokogiri#1615
Updated 'deface' to update 'nokogiri' dependency gem after vulnerability checks with 'audit': Nokogiri gem contains several vulnerabilities in libxml2 and libxslt. sparklemotion/nokogiri#1615
Canonical updated Ubuntu's
libxml2
package today with some patches that have been applied upstream but are not yet in an official libxml release.I think we should we apply these patches to nokogiri's vendored libxml2, but I'd like to provide a period for informed observers to comment.
If you feel strongly it's unnecesssary to apply these patches to nokogiri's vendored libxml2, please comment on this issue in the next 24 hours.
USN-3235-1: libxml2 vulnerabilities
Dated 2017-03-16, this security update patches the following CVEs (for which I've linked to the upstream commits) ...
CVE-2016-4448
This is already patched in libxml 2.9.4, which is vendored as of Nokogiri 1.6.8 (released 2016-06-06), and so is not relevant to this discussion.
CVE-2016-4658
Priority: Medium
Description: libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
Patch: Disallow namespace nodes in XPointer ranges
The CVE description makes it sound like an exploit is only possible on Apple-y things; but the patch's commit message indicates the fix is addressing use-after-free bugs found via fuzz testing, and so I think we should assume the bug is valid on other architectures and patch this.
CVE-2016-5131
Priority: Medium
Description: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.
Patches:
Again, the CVE description makes it sound like an exploit might only be possble in Chrome, but here again the commit message tells us that this is another use-after-free bug found via fuzz testing. I think we should assume the bug is generally valid and patch this.
The text was updated successfully, but these errors were encountered: