/nokogiri

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate Ubuntu libxml2 patches in USN-3739-1 and USN-3739-2 #1785

Closed
flavorjones opened this Issue Aug 15, 2018 · 3 comments

Comments

Assignees
No one assigned
Labels
topic/security vendored/libxml2
Projects
None yet
Milestone
  1.8.5
1 participant
@flavorjones
@flavorjones
Copy link
Member

flavorjones commented Aug 15, 2018
edited

This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.

References:

Summary:

Two upstream patches, not yet available in an official libxml2 release, are candidates for patching in Nokogiri's vendored libxml2. A pull request has been created at #1786 for comments.

@flavorjones flavorjones added topic/security libxml2-upstream labels Aug 15, 2018

@flavorjones flavorjones added this to the 1.8.5 milestone Aug 15, 2018

@flavorjones

This comment has been minimized.

Sign in to view
Copy link
Member

flavorjones commented Aug 15, 2018

USNs

https://usn.ubuntu.com/3739-1/ which addresses:

  • CVE-2016-9318
  • CVE-2017-16932
  • CVE-2017-18258
  • CVE-2018-14404
  • CVE-2018-14567

and https://usn.ubuntu.com/3739-2/ which addresses:

  • CVE-2016-9318
  • CVE-2018-14404

Note that 3739-2 addresses a subset of 3739-1.

CVEs

CVE-2016-9318

Permalink is https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9318.html

Description:

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

Canonical rates this vulnerability as "Priority: Low"

The CVE report indicates this is the patch that addresses the vulnerability:

https://git.gnome.org/browse/libxml2/commit/?id=ad88b54f1a28a8565964a370b5d387927b633c0d

Looking at libxml upstream:

$ git tag --contains ad88b54f1a28a8565964a370b5d387927b633c0d
v2.9.8
v2.9.8-rc1

... we see this was fixed in libxml 2.9.8, which Nokogiri has vendored since v1.8.3.

CVE-2017-16932

Permalink is https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html

Description:

parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities

Canonical rates this vulnerability as "Priority: Low"

The CVE report indicates that this is the patch that addresses the vulnerability:

GNOME/libxml2@899a5d9

Looking at libxml upstream:

$ git tag --contains 899a5d9f0ed13b8e32449a08a361e0de127dd961 | cat
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
v2.9.6
v2.9.6-rc1
v2.9.7
v2.9.7-rc1
v2.9.8
v2.9.8-rc1

... we see this has been fixed since libxml 2.9.5, which Nokogiri has vendored since v1.8.1.

CVE-2017-18258

Permalink is https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18258.html

Description:

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file

Canonical rates this vulnerability as "Priority: Low"

The CVE report indicates that this is the patch that addresses the vulnerability:

https://gitlab.gnome.org/GNOME/libxml2/commit/e2a9122b8dde53d320750451e9907a7dcb2ca8bb

Looking at libxml upstream:

$ git tag --contains e2a9122b8dde53d320750451e9907a7dcb2ca8bb | cat
v2.9.6
v2.9.6-rc1
v2.9.7
v2.9.7-rc1
v2.9.8
v2.9.8-rc1

... we see this has been fixed since libxml 2.9.6, which Nokogiri has vendored since v1.8.2.

CVE-2018-14404

Permalink is https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html

Description:

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application

Canonical rates this vulnerability as "Priority: Medium"

The CVE report indicates that this is the patch that addresses the vulnerability:

https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594

Looking at libxml upstream:

$ git tag --contains a436374994c47b12d5de1b8b1d191a098fa23594 | cat

... we see that this is not yet addressed in an upstream release. This is curious.

CVE-2018-14567

Permalink is https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html

Description:

infinite loop in LZMA decompression

Canonical rates this vulnerability as "Priority: Medium"

The CVE report indicates that this is the patch that addresses the vulnerability:

https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74

Looking at libxml upstream:

$ git tag --contains 2240fbf5912054af025fb6e01e26375100275e74 | cat

... we see that this is not yet addressed in an upstream release. This is curious.
@flavorjones

This comment has been minimized.

Sign in to view
Copy link
Member

flavorjones commented Aug 15, 2018

Conclusions

Of the five CVEs addressed in this USN, these three are already addressed by Nokogiri:

  • CVE-2016-9318 (since v1.8.3)
  • CVE-2017-16932 (since v1.8.1)
  • CVE-2017-18258 (since v1.8.2)

The remaining two CVEs are not yet addressed in an upstream libxml2 release. Here are the commits in question:

I guess I'll try including these patches and see what happens?

flavorjones added a commit that referenced this issue Aug 15, 2018

@flavorjones
pull in upstream libxml2 patches 
based on USN-3739-1 and -2.

see related #1785.
Loading status checks…
5bff4bb

@flavorjones flavorjones referenced this issue Aug 15, 2018

Merged

pull in upstream libxml2 patches #1786

@flavorjones

This comment has been minimized.

Sign in to view
Copy link
Member

flavorjones commented Aug 15, 2018

I've created a PR at #1786 for comments. Please take a look and comment there.

@flavorjones flavorjones removed this from the 1.8.5 milestone Aug 15, 2018

@flavorjones flavorjones closed this Aug 15, 2018

dtpowl added a commit to sideqik/nokogiri that referenced this issue Sep 5, 2018

@flavorjones @dtpowl
pull in upstream libxml2 patches 
based on USN-3739-1 and -2.

see related sparklemotion#1785.
153a4a4

@flavorjones flavorjones added this to the 1.8.5 milestone Oct 4, 2018

@gregmolnar gregmolnar referenced this issue Oct 5, 2018

Merged

upgrade nokogiri #34088

joenas added a commit to joenas/preschool that referenced this issue Oct 5, 2018

@depfu[bot] @joenas
🚨 [security] Update nokogiri: 1.8.4 → 1.8.5 (patch) (#112) 

<hr>

🚨 <b>Your version of nokogiri has known security vulnerabilities</b> 🚨

Advisory: CVE-2018-14404
Disclosed: October 04, 2018
URL: [sparklemotion/nokogiri#1785

<details>
<summary>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</summary>
<blockquote>
  <p>Nokogiri 1.8.5 has been released.</p>
<p>This is a security and bugfix release. It addresses two CVEs in upstream<br>
libxml2 rated as "medium" by Red Hat, for which details are below.</p>
<p>If you're using your distro's system libraries, rather than Nokogiri's<br>
vendored libraries, there's no security need to upgrade at this time,<br>
though you may want to check with your distro whether they've patched this<br>
(Canonical has patched Ubuntu packages). Note that these patches are not<br>
yet (as of 2018-10-04) in an upstream release of libxml2.</p>
<p>Full details about the security update are available in Github Issue <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>.<br>
[<a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>]: <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a></p>
<hr>
<p>[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404<br>
and CVE-2018-14567. Full details are available in <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>. Note that these<br>
patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p>
<hr>
<p>CVE-2018-14404</p>
<p>Permalink:</p>
<p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14404.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html</a></p>
<p>Description:</p>
<p>A NULL pointer dereference vulnerability exists in the<br>
xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when<br>
parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR<br>
case. Applications processing untrusted XSL format inputs with the use of<br>
the libxml2 library may be vulnerable to a denial of service attack due<br>
to a crash of the application</p>
<p>Canonical rates this vulnerability as "Priority: Medium"</p>
<hr>
<p>CVE-2018-14567</p>
<p>Permalink:</p>
<p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14567.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html</a></p>
<p>Description:</p>
<p>infinite loop in LZMA decompression</p>
<p>Canonical rates this vulnerability as "Priority: Medium"</p>
</blockquote>
</details>
<br>
🚨 <b>We recommend to merge and deploy this update as soon as possible!</b> 🚨
<hr>


We've updated a dependency and here is what you need to know:

| name | version specification | old version | new version |
| --- | --- | --- | --- |
| nokogiri | _indirect dependency_ | 1.8.4 | 1.8.5 |



You should probably take a good look at the info here and the test results before merging this pull request, of course.

### What changed?


#### ↗️ nokogiri (_indirect_, 1.8.4 → 1.8.5) · [Repo](https://github.com/sparklemotion/nokogiri/) · [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)


<details>
<summary>Commits</summary>
<p><a href="https://github.com/sparklemotion/nokogiri/compare/254f3414811b6d2fff8b0630efe4ce8d29778fb6...e28fa4bb2ed6844c3c63f58062d034e7b99fc90c">See the full diff on Github</a>. The new version differs by 11 commits:</p>

<ul>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/e28fa4bb2ed6844c3c63f58062d034e7b99fc90c"><code>version bump to v1.8.5</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/712edef8a8c7fa593e09517891d336758af42cba"><code>update changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7feb4c167a9ae1ba4e87923597ba7e7b309b1713"><code>Merge branch &#39;fix-1773&#39;</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7cc6cf6a74bd718b46182f0e646b63ff0a00f728"><code>Organize imports in XmlNode.java.</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/169744261c5c023dff40de0811a826ad4d1fcc05"><code>Allow reparenting nodes to be a child of an empty document.</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7b8cd0f5b15a926e92c869b450dd6f71cdd17b61"><code>Merge pull request #1786 from sparklemotion/1785-canonical-usns</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/5bff4bb3f1692069c617f4333b2ccc5570f0f414"><code>pull in upstream libxml2 patches</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/c232226448a44bb81220d3750a6453a0aef88fb1"><code>changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/862b88f39264b7b5e223a63e3d4d0eeade4db9ff"><code>changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/b3750eb71e101287aa0e7a231232222c7213b3f3"><code>remove `-Wextra` CFLAG</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/91a63d55eb92ef0bcb141b6c094a28ef026eaf16"><code>add tests for pkg-config failure scenario</code></a></li>
</ul>
</details>




---
[![Depfu Status](https://depfu.com/badges/e69c6c7bda228fd38f6335ea889589cb/stats.svg)](https://depfu.com/repos/joenas/preschool?project_id=4294 "See the full overview on Depfu")

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`.

<details><summary>All Depfu comment commands</summary>
<blockquote><dl>
<dt>@​depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd>
<dt>@​depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd>
<dt>@​depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd>
<dt>@​depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd>
</dl></blockquote>
Go to the <a href="https://depfu.com/repos/joenas/preschool?project_id=4294">Depfu Dashboard</a> to see the state of your dependencies and to customize how Depfu works.
</details>
40a0c82

danbernier added a commit to tedconf/crushinator_helpers that referenced this issue Oct 5, 2018

@danbernier
update nokogiri to 1.8.5 for CVE-2018-14404 
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple
vulnerabilities
Solution: upgrade to >= 1.8.5
Loading status checks…
835181e

roback added a commit to twingly/feedjira.herokuapp.com that referenced this issue Oct 5, 2018

@roback
Update nokogiri (CVE-2018-14404) 
sparklemotion/nokogiri#1785
a5f2d10

roback added a commit to twingly/feedbag.herokuapp.com that referenced this issue Oct 5, 2018

@roback
Update nokogiri (CVE-2018-14404) 
sparklemotion/nokogiri#1785
172023b

wassimk added a commit to tulsarb/movies that referenced this issue Oct 5, 2018

@depfu[bot] @wassimk
🚨 [security] Update nokogiri: 1.8.4 → 1.8.5 (patch) (#20) 

<hr>

🚨 <b>Your version of nokogiri has known security vulnerabilities</b> 🚨

Advisory: CVE-2018-14404
Disclosed: October 04, 2018
URL: [sparklemotion/nokogiri#1785

<details>
<summary>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</summary>
<blockquote>
  <p>Nokogiri 1.8.5 has been released.</p>
<p>This is a security and bugfix release. It addresses two CVEs in upstream<br>
libxml2 rated as "medium" by Red Hat, for which details are below.</p>
<p>If you're using your distro's system libraries, rather than Nokogiri's<br>
vendored libraries, there's no security need to upgrade at this time,<br>
though you may want to check with your distro whether they've patched this<br>
(Canonical has patched Ubuntu packages). Note that these patches are not<br>
yet (as of 2018-10-04) in an upstream release of libxml2.</p>
<p>Full details about the security update are available in Github Issue <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>.<br>
[<a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>]: <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a></p>
<hr>
<p>[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404<br>
and CVE-2018-14567. Full details are available in <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>. Note that these<br>
patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p>
<hr>
<p>CVE-2018-14404</p>
<p>Permalink:</p>
<p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14404.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html</a></p>
<p>Description:</p>
<p>A NULL pointer dereference vulnerability exists in the<br>
xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when<br>
parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR<br>
case. Applications processing untrusted XSL format inputs with the use of<br>
the libxml2 library may be vulnerable to a denial of service attack due<br>
to a crash of the application</p>
<p>Canonical rates this vulnerability as "Priority: Medium"</p>
<hr>
<p>CVE-2018-14567</p>
<p>Permalink:</p>
<p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14567.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html</a></p>
<p>Description:</p>
<p>infinite loop in LZMA decompression</p>
<p>Canonical rates this vulnerability as "Priority: Medium"</p>
</blockquote>
</details>
<br>
🚨 <b>We recommend to merge and deploy this update as soon as possible!</b> 🚨
<hr>


We've updated a dependency and here is what you need to know:

| name | version specification | old version | new version |
| --- | --- | --- | --- |
| nokogiri | _indirect dependency_ | 1.8.4 | 1.8.5 |



You should probably take a good look at the info here and the test results before merging this pull request, of course.

### What changed?


#### ↗️ nokogiri (_indirect_, 1.8.4 → 1.8.5) · [Repo](https://github.com/sparklemotion/nokogiri/) · [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)


<details>
<summary>Commits</summary>
<p><a href="https://github.com/sparklemotion/nokogiri/compare/254f3414811b6d2fff8b0630efe4ce8d29778fb6...e28fa4bb2ed6844c3c63f58062d034e7b99fc90c">See the full diff on Github</a>. The new version differs by 11 commits:</p>

<ul>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/e28fa4bb2ed6844c3c63f58062d034e7b99fc90c"><code>version bump to v1.8.5</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/712edef8a8c7fa593e09517891d336758af42cba"><code>update changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7feb4c167a9ae1ba4e87923597ba7e7b309b1713"><code>Merge branch &#39;fix-1773&#39;</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7cc6cf6a74bd718b46182f0e646b63ff0a00f728"><code>Organize imports in XmlNode.java.</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/169744261c5c023dff40de0811a826ad4d1fcc05"><code>Allow reparenting nodes to be a child of an empty document.</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7b8cd0f5b15a926e92c869b450dd6f71cdd17b61"><code>Merge pull request #1786 from sparklemotion/1785-canonical-usns</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/5bff4bb3f1692069c617f4333b2ccc5570f0f414"><code>pull in upstream libxml2 patches</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/c232226448a44bb81220d3750a6453a0aef88fb1"><code>changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/862b88f39264b7b5e223a63e3d4d0eeade4db9ff"><code>changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/b3750eb71e101287aa0e7a231232222c7213b3f3"><code>remove `-Wextra` CFLAG</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/91a63d55eb92ef0bcb141b6c094a28ef026eaf16"><code>add tests for pkg-config failure scenario</code></a></li>
</ul>
</details>




---
![Depfu Status](https://depfu.com/badges/0a723c09b68149a932bdb420ef5f5e4e/stats.svg)

[Depfu](https://depfu.com) will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`.

<details><summary>All Depfu comment commands</summary>
<blockquote><dl>
<dt>@​depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd>
<dt>@​depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd>
<dt>@​depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd>
<dt>@​depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd>
</dl></blockquote>
</details>
Loading status checks…
e8784d5

SViccari added a commit to bostonrb/bostonrb.org that referenced this issue Oct 5, 2018

@SViccari
Address security warning for nokogiri 
Bundler-audit report the following security advisory for nokogiri. This
PR updates nokogiri to the recommended version.

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple
vulnerabilities
Solution: upgrade to >= 1.8.5
Loading status checks…
ccdd9bb

@SViccari SViccari referenced this issue Oct 5, 2018

Merged

Address security warning for nokogiri #43

phallstrom added a commit to railslink/railslink that referenced this issue Oct 7, 2018

@phallstrom
Upgrade nokogiri gem to 1.8.5 to resolve CVE-2018-14404 
see https://circleci.com/gh/railslink/railslink/138

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5
Loading status checks…
f853dcb

@phallstrom phallstrom referenced this issue Oct 7, 2018

Merged

Upgrade nokogiri gem to 1.8.5 to resolve CVE-2018-14404 #49

phallstrom added a commit to railslink/railslink that referenced this issue Oct 7, 2018

@phallstrom
Upgrade nokogiri gem to 1.8.5 to resolve CVE-2018-14404 (#49) 
see https://circleci.com/gh/railslink/railslink/138

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
dd96077

mjankowski added a commit to mjankowski/rubygems.org that referenced this issue Oct 11, 2018

@mjankowski
Update nokogiri to version 1.8.5 
Resolves CVE described here: sparklemotion/nokogiri#1785
8d2a625

@mjankowski mjankowski referenced this issue Oct 11, 2018

Merged

Update nokogiri to version 1.8.5 #1799

AdrianCann added a commit to sophomoric/secret that referenced this issue Oct 14, 2018

@AdrianCann
Update gems with security vulnerabilities 
ruby-advisory-db: 323 advisories
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2
373dd8c

AdrianCann added a commit to sophomoric/secret that referenced this issue Oct 14, 2018

@AdrianCann
Update gems with security vulnerabilities 
ruby-advisory-db: 323 advisories
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2
Loading status checks…
92be435

@AdrianCann AdrianCann referenced this issue Oct 14, 2018

Merged

Update gems with security vulnerabilities #91

AdrianCann added a commit to sophomoric/secret that referenced this issue Oct 14, 2018

@AdrianCann
Update gems with security vulnerabilities (#91) 
ruby-advisory-db: 323 advisories
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
333664e

rainerdema added a commit to nebulab/solidus_static_content-1 that referenced this issue Oct 18, 2018

@rainerdema
Update 'deface' dependency version 
Updated 'deface' to update 'nokogiri' dependency gem after vulnerability 
checks with 'audit':
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities.

sparklemotion/nokogiri#1785
9b5039d

This was referenced Oct 18, 2018

Closed
Open

@ur5us ur5us referenced this issue Oct 18, 2018

Closed

Upgrade gems due to a security bug fix in Nokigiri #577

rimenes added a commit to rimenes/reviewit that referenced this issue Oct 19, 2018

@rimenes
Security update for compromised gems. 
Name: nokogiri
Version: 1.8.2
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities

Name: nokogiri
Version: 1.8.2
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS

Name: sprockets
Version: 2.12.4
Advisory: CVE-2018-3760
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Title: Path Traversal in Sprockets
88ee6da

@rimenes rimenes referenced this issue Oct 19, 2018

Merged

Security update for compromised gems. #130

hugopl added a commit to hugopl/reviewit that referenced this issue Oct 22, 2018

@rimenes @hugopl
Security update for compromised gems. 
Name: nokogiri
Version: 1.8.2
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities

Name: nokogiri
Version: 1.8.2
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS

Name: sprockets
Version: 2.12.4
Advisory: CVE-2018-3760
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Title: Path Traversal in Sprockets
Loading status checks…
4c65512

rimenes added a commit to rimenes/droptune that referenced this issue Oct 23, 2018

@rimenes
Gem security updates. 
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2
4a73f2f

@rimenes rimenes referenced this issue Oct 23, 2018

Merged

Gem security updates. #70

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Nov 1, 2018

tsutsui
ruby-nokogiri: update to 1.8.5. 
Upstream changes (from CHANGELOG.md):

# 1.8.5 / 2018-10-04

## Security Notes

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404
and CVE-2018-14567. Full details are available in [#1785]
(sparklemotion/nokogiri#1785).
Note that these patches are not yet (as of 2018-10-04) in an upstream
release of libxml2.


## Bug fixes

* [MRI] Fix regression in installation when building against system
  libraries, where some systems would not be able to find libxml2 or
  libxslt when present. (Regression introduced in v1.8.3.) [#1722]
* [JRuby] Fix node reparenting when the destination doc is empty. [#1773]
28f6c76

Koronen added a commit to swanson/stringer that referenced this issue Nov 1, 2018

@Koronen
Bump nokogiri to address CVE-2018-8048 and CVE-2018-14404 
As reported by `bundler-audit`:

    Name: nokogiri
    Version: 1.8.2
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: nokogiri
    Version: 1.8.2
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5
Loading status checks…
6c63bab

@mberrueta mberrueta referenced this issue Nov 2, 2018

Closed

Update nokogiri to 1.8.5 ~ CVE-2018-14404 #79

frederikspang added a commit to frederikspang/rails-html-sanitizer that referenced this issue Nov 2, 2018

@frederikspang
Addresses Security Issues in loofah and nokogiri 
flavorjones/loofah#154 and sparklemotion/nokogiri#1785
Verified
This commit was signed with a verified signature.
@frederikspang frederikspang Frederik Spang
GPG key ID: DD1DD45E35EF12DC Learn about signing commits
96c346a

@frederikspang frederikspang referenced this issue Nov 2, 2018

Closed

Addresses Security Issues in loofah and nokogiri #80

@mauromorales mauromorales referenced this issue Nov 7, 2018

Merged

Bump gems for security vulnerabilities #11

matt-hh added a commit to produktgenuss/administrate that referenced this issue Nov 13, 2018

@matt-hh
Update gems 
- Fix some vulnerabilities

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6
```

- Fix factory_bot issues
- Closes thoughtbot#1225
84e6d01

@sobanakram sobanakram referenced this issue Nov 23, 2018

Merged

Automated Bundle Update #2

composerinteralia added a commit to thoughtbot/administrate that referenced this issue Nov 28, 2018

@matt-hh @composerinteralia
Update gems (#1241) 
- Fix some vulnerabilities

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6
```

- Fix factory_bot issues
- Closes #1225
Loading status checks…
05b7768

gabebw added a commit to gabebw/hotline-webring that referenced this issue Dec 12, 2018

@gabebw
Update vulnerable gems 
The vulnerability message is below. In order to upgrade activejob, I had
to upgrade Rails to version 5.1.6.1, which touched quite a few other
gems.

    Name: activejob
    Version: 5.1.4
    Advisory: CVE-2018-16476
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
    Title: Broken Access Control vulnerability in Active Job
    Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-16468
    Criticality: Unknown
    URL: flavorjones/loofah#154
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.3

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: flavorjones/loofah#144
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.1

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2017-15412
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1714
    Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
    Solution: upgrade to >= 1.8.2

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: rack
    Version: 2.0.3
    Advisory: CVE-2018-16471
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
    Title: Possible XSS vulnerability in Rack
    Solution: upgrade to ~> 1.6.11, >= 2.0.6

    Name: rails-html-sanitizer
    Version: 1.0.3
    Advisory: CVE-2018-3741
    Criticality: Unknown
    URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
    Title: XSS vulnerability in rails-html-sanitizer
    Solution: upgrade to >= 1.0.4

    Name: sprockets
    Version: 3.7.1
    Advisory: CVE-2018-3760
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
    Title: Path Traversal in Sprockets
    Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
Loading status checks…
873ba5b

gabebw added a commit to gabebw/hotline-webring that referenced this issue Dec 12, 2018

@gabebw
Update vulnerable gems 
The vulnerability message is below. In order to upgrade activejob, I had
to upgrade Rails to version 5.1.6.1, which touched quite a few other
gems.

    Name: activejob
    Version: 5.1.4
    Advisory: CVE-2018-16476
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
    Title: Broken Access Control vulnerability in Active Job
    Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-16468
    Criticality: Unknown
    URL: flavorjones/loofah#154
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.3

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: flavorjones/loofah#144
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.1

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2017-15412
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1714
    Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
    Solution: upgrade to >= 1.8.2

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: rack
    Version: 2.0.3
    Advisory: CVE-2018-16471
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
    Title: Possible XSS vulnerability in Rack
    Solution: upgrade to ~> 1.6.11, >= 2.0.6

    Name: rails-html-sanitizer
    Version: 1.0.3
    Advisory: CVE-2018-3741
    Criticality: Unknown
    URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
    Title: XSS vulnerability in rails-html-sanitizer
    Solution: upgrade to >= 1.0.4

    Name: sprockets
    Version: 3.7.1
    Advisory: CVE-2018-3760
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
    Title: Path Traversal in Sprockets
    Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
Loading status checks…
89cdf58

@johnsyweb johnsyweb referenced this issue Dec 20, 2018

Merged

Automated Bundle Update #8

@flavorjones flavorjones added the vendored/libxml2 label Jan 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment