Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-5477 - Nokogiri Command Injection Vulnerability #1915

Closed
flavorjones opened this issue Jul 20, 2019 · 4 comments
Closed

CVE-2019-5477 - Nokogiri Command Injection Vulnerability #1915

flavorjones opened this issue Jul 20, 2019 · 4 comments

Comments

@flavorjones
Copy link
Member

@flavorjones flavorjones commented Jul 20, 2019

CVE-2019-5477 - Nokogiri Command Injection Vulnerability

This issue has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA).

I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Nokogiri maintainers.

Severity

Nokogiri maintainers have evaluated this as High (CVSS3 8.1)

Description

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Affected Versions

Nokogiri < v1.10.4

Mitigation

Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.

Further Mitigating Actions Taken

This vulnerability could have been easily detected using Rubocop's Security cop, and so the Security cop has been introduced into the test suite. If for any reason Rubocop flags something as "insecure" in the future, that will fail the test suite and block release.

References


History of this public disclosure

  • 2019-07-20T19:42+00:00: empty issue-of-record created, all information is embargoed
  • 2019-08-11T19:28+00:00: embargo ends, full information made available
@flavorjones

This comment has been minimized.

Copy link
Member Author

@flavorjones flavorjones commented Aug 10, 2019

Checklist:

  • push commits to v1.10.x branch
  • watch nokogiri-v1.10.x pipeline go green
  • release v1.10.4
  • update this issue with full details
  • apply those commits to master
@flavorjones flavorjones added this to the v1.10.x patch releases milestone Aug 10, 2019
flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
which was raised by Rubocop's security filter

related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
@flavorjones

This comment has been minimized.

Copy link
Member Author

@flavorjones flavorjones commented Aug 11, 2019

v1.10.4 has been released addressing this vulnerability.

flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
which was raised by Rubocop's security filter

related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
@flavorjones flavorjones changed the title [placeholder] embargoed security vulnerability CVE-2019-5477 - Nokogiri Command Injection Vulnerability Aug 11, 2019
@touhouota touhouota mentioned this issue Aug 12, 2019
va-bot added a commit to department-of-veterans-affairs/caseflow that referenced this issue Aug 13, 2019
`bundle exec rake security` alerted us to a vulnerability in the Nokogiri library we use for XML and HTML parsing. This PR updates the library to a version that is not vulnerable to the disclosed CVE as per the directions presented by the maintainers (sparklemotion/nokogiri#1915).

```bash
$> bundle exec rake security
...
Updated ruby-advisory-db
ruby-advisory-db: 384 advisories
Looking for ~/Projects/caseflow/.security.yml
bundle-audit check --ignore=
Name: nokogiri
Version: 1.10.3
Advisory: CVE-2019-5477
Criticality: Unknown
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Vulnerabilities found!

Failed. Security vulnerabilities were found. Find the dependency in Gemfile.lock,
then specify a safe version of the dependency in the Gemfile (preferred) or
snooze the CVE in .security.yml for a week.
```
dentarg added a commit to twingly/feedbag.herokuapp.com that referenced this issue Aug 14, 2019
dentarg added a commit to twingly/feedjira.herokuapp.com that referenced this issue Aug 14, 2019
@greysteil

This comment has been minimized.

Copy link
Contributor

@greysteil greysteil commented Aug 15, 2019

@flavorjones thanks for all your work on this and everything else you do.

I'm on the security team at GitHub these days, and noticed that this didn't come through to our advisory curation team via the NVD feed, even though you've got a CVE for it. It looks like that's because the CVE has been assigned but not published.

Would you mind prodding HackerOne to mark this as published, now that it's been publicly disclosed? We're also planning to make it easy to get CVEs through GitHub itself and have the publishing process for them automated, so hopefully we can help more here in future.

phallstrom added a commit to railslink/railslink that referenced this issue Aug 15, 2019
phallstrom added a commit to railslink/railslink that referenced this issue Aug 15, 2019
phallstrom added a commit to railslink/railslink that referenced this issue Aug 15, 2019
@reedloden

This comment has been minimized.

Copy link

@reedloden reedloden commented Aug 15, 2019

@greysteil We (HackerOne) submitted it to MITRE for publication this morning (we normally only do this once a week, unless specifically asked to do it sooner). Once they process it, should be all live.

@arku arku mentioned this issue Aug 15, 2019
@touhouota touhouota mentioned this issue Aug 17, 2019
iszandro added a commit to iszandro/machetito that referenced this issue Aug 19, 2019
senid231 added a commit to senid231/yeti-web that referenced this issue Aug 26, 2019
sparklemotion/nokogiri#1915
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
senid231 added a commit to senid231/yeti-web that referenced this issue Aug 27, 2019
sparklemotion/nokogiri#1915
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Cruikshanks added a commit to DEFRA/defra-ruby-area that referenced this issue Aug 28, 2019
[CVE-2019-5477](sparklemotion/nokogiri#1915) identifies an issue in Nokogiri version 1.10.3. The resolution is to upgrade to version 1.10.4.

Hakiri is failing our build because our minimum requirement is 1.10.3 hence this change to bump it to the fixed version.
Cruikshanks added a commit to DEFRA/defra-ruby-area that referenced this issue Aug 28, 2019
[CVE-2019-5477](sparklemotion/nokogiri#1915) identifies an issue in Nokogiri version 1.10.3. The resolution is to upgrade to version 1.10.4.

Hakiri is failing our build because our minimum requirement is 1.10.3 hence this change to bump it to the fixed version.
matthewoliver added a commit to matthewoliver/crowbar-core that referenced this issue Aug 29, 2019
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.
matthewoliver added a commit to matthewoliver/crowbar-core that referenced this issue Aug 29, 2019
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.
matthewoliver added a commit to matthewoliver/crowbar-core that referenced this issue Aug 29, 2019
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via
         Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.
@ghardytest ghardytest bot mentioned this issue Aug 29, 2019
rhafer added a commit to rhafer/crowbar-core that referenced this issue Aug 30, 2019
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via
         Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.

(cherry picked from commit 8400e28)
rhafer added a commit to rhafer/crowbar-core that referenced this issue Aug 30, 2019
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via
         Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.

(cherry picked from commit 8400e28)
vbalbarin added a commit to YaleSpinup/dns-api that referenced this issue Oct 2, 2019
Name: nokogiri
Version: 1.10.3
Advisory: CVE-2019-5477
Criticality: High
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4
facebook-github-bot added a commit to Instagram/IGListKit that referenced this issue Oct 30, 2019
Summary:
We don't use nokogiri directly in our library, but it found its was into our Gemfile.lock. I'm bumping the version in the Gemfile.lock because the version it's calling for has a security vuln: sparklemotion/nokogiri#1915. When I tried setting up this library from a github clone, so I imagine others may be running into this and wasting time on it as well.

Another solution here would just be to remove nokogiri from our Gemfile.lock entirely. I don't think we use it directly anywhere, and was just included in the lock because it happened to be in someone's environment at the time of the lock file creation.

Reviewed By: joetam

Differential Revision: D18046184

fbshipit-source-id: de6263bb24783988545a77cb67ee66c9697820de
bors-alpinelab bot added a commit to alpinelab/toolbox that referenced this issue Nov 1, 2019
Merge #119
119: [Security] Bump nokogiri from 1.10.3 to 1.10.5 r=michaelbaudino a=dependabot-preview[bot]

Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.3 to 1.10.5. **This update includes security fixes.**
<details>
<summary>Vulnerabilities fixed</summary>

*Sourced from The Ruby Advisory Database.*

> **Nokogiri Command Injection Vulnerability**
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
> 
> This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
> 
> Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method `Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.
> 
> Patched versions: >= 1.10.4
> Unaffected versions: none

*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml).*

> **Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file**
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
> commands to be executed in a subprocess by Ruby's `Kernel.open` method.
> Processes are vulnerable only if the undocumented method
> `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
> 
> This vulnerability appears in code generated by the Rexical gem versions
> v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner
> code for parsing CSS queries. The underlying vulnerability was addressed in
> Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in
> Nokogiri v1.10.4.
> 
> Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method
> `Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.
> 
> Patched versions: >= 1.10.4
> Unaffected versions: none

</details>
<details>
<summary>Release notes</summary>

*Sourced from [nokogiri's releases](https://github.com/sparklemotion/nokogiri/releases).*

> ## 1.10.5 / 2019-10-31
> 
> ### Dependencies
> 
> * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
> * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
> 
> 
> 
> ## 1.10.4 / 2019-08-11
> 
> ### Security
> 
> #### Address CVE-2019-5477 ([#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915))
> 
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
> 
> This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
> 
> This CVE's public notice is [sparklemotion/nokogiri#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915)
> 
</details>
<details>
<summary>Changelog</summary>

*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).*

> ## 1.10.5 / 2019-10-31
> 
> ### Dependencies
> 
> * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
> * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
> 
> 
> ## 1.10.4 / 2019-08-11
> 
> ### Security
> 
> #### Address CVE-2019-5477 ([#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915))
> 
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
> 
> This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
> 
> This CVE's public notice is [sparklemotion/nokogiri#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915)
</details>
<details>
<summary>Commits</summary>

- [`1bc2ff9`](sparklemotion/nokogiri@1bc2ff9) version bump to v1.10.5
- [`383c1f8`](sparklemotion/nokogiri@383c1f8) update CHANGELOG
- [`43a1753`](sparklemotion/nokogiri@43a1753) dependency: update libxslt to 1.1.34 final
- [`99d8a6b`](sparklemotion/nokogiri@99d8a6b) dependency: update libxml to 2.9.10 final
- [`2a86496`](sparklemotion/nokogiri@2a86496) add suppressions for ruby 2.7
- [`dca794a`](sparklemotion/nokogiri@dca794a) update CHANGELOG with correct release date for v1.10.4
- [`077e010`](sparklemotion/nokogiri@077e010) update rake-compiler commands to install bundler
- [`beb832e`](sparklemotion/nokogiri@beb832e) version bump to v1.10.4
- [`5d30128`](sparklemotion/nokogiri@5d30128) Merge branch '1915-css-tokenizer-load-file-vulnerability_v1.10.x' into v1.10.x
- [`c86b5fc`](sparklemotion/nokogiri@c86b5fc) update CHANGELOG
- Additional commits viewable in [compare view](sparklemotion/nokogiri@v1.10.3...v1.10.5)
</details>
<br />

[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=nokogiri&package-manager=bundler&previous-version=1.10.3&new-version=1.10.5)](https://dependabot.com/compatibility-score.html?dependency-name=nokogiri&package-manager=bundler&previous-version=1.10.3&new-version=1.10.5)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
If all status checks pass Dependabot will automatically merge this pull request.

[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)



</details>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
facebook-github-bot added a commit to facebook/watchman that referenced this issue Nov 1, 2019
Summary:
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.8.0 to 1.10.5.
<details>
<summary>Release notes</summary>

*Sourced from [nokogiri's releases](https://github.com/sparklemotion/nokogiri/releases).*

> ## 1.10.5 / 2019-10-31
>
> ### Dependencies
>
> * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
> * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
>
>
>
> ## 1.10.4 / 2019-08-11
>
> ### Security
>
> #### Address CVE-2019-5477 ([#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915))
>
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
>
> This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
>
> This CVE's public notice is [sparklemotion/nokogiri#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915)
>
>
> ## 1.10.3 / 2019-04-22
>
> ### Security Notes
>
> [MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in [#1892](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1892). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.
>
> ## 1.10.2 / 2019-03-24
>
> ### Security
>
> * [MRI] Remove support from vendored libxml2 for future script macros. [#1871](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1871)
> * [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1877)
>
>
> ### Bug fixes
>
> * [JRuby] Fix node ownership in duplicated documents. [#1060](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1060)
> * [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, [#1872](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1872)] (Thanks, [@&#8203;adjam](https://github.com/adjam)!)
>
>
>
> ## 1.10.1 / 2019-01-13
>
> ### Features
>
> * [MRI] During installation, handle Xcode 10's new library pathOS. [#1801, [#1851](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1851)] (Thanks, [@&#8203;mlj](https://github.com/mlj) and [@&#8203;deepj](https://github.com/deepj)!)
> * Avoid unnecessary creation of `Proc`s in many methods. [#1776](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1776) (Thanks, [@&#8203;chopraanmol1](https://github.com/chopraanmol1)!)
>
></tr></table> ... (truncated)
</details>
<details>
<summary>Changelog</summary>

*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).*

> ## 1.10.5 / 2019-10-31
>
> ### Dependencies
>
> * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
> * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
>
>
> ## 1.10.4 / 2019-08-11
>
> ### Security
>
> #### Address CVE-2019-5477 ([#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915))
>
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
>
> This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
>
> This CVE's public notice is [sparklemotion/nokogiri#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915)
>
>
> ## 1.10.3 / 2019-04-22
>
> ### Security Notes
>
> [MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in [#1892](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1892). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.
>
>
> ## 1.10.2 / 2019-03-24
>
> ### Security
>
> * [MRI] Remove support from vendored libxml2 for future script macros. [#1871](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1871)
> * [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1877)
>
>
> ### Bug fixes
>
> * [JRuby] Fix node ownership in duplicated documents. [#1060](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1060)
> * [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, [#1872](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1872)] (Thanks, [@&#8203;adjam](https://github.com/adjam)!)
>
>
> ## 1.10.1 / 2019-01-13
>
> ### Features
>
> * [MRI] During installation, handle Xcode 10's new library path. [#1801, [#1851](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1851)] (Thanks, [@&#8203;mlj](https://github.com/mlj) and [@&#8203;deepj](https://github.com/deepj)!)
> * Avoid unnecessary creation of `Proc`s in many methods. [#1776](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1776) (Thanks, [@&#8203;chopraanmol1](https://github.com/chopraanmol1)!)
>
>
></tr></table> ... (truncated)
</details>
<details>
<summary>Commits</summary>

- [`1bc2ff9`](sparklemotion/nokogiri@1bc2ff9) version bump to v1.10.5
- [`383c1f8`](sparklemotion/nokogiri@383c1f8) update CHANGELOG
- [`43a1753`](sparklemotion/nokogiri@43a1753) dependency: update libxslt to 1.1.34 final
- [`99d8a6b`](sparklemotion/nokogiri@99d8a6b) dependency: update libxml to 2.9.10 final
- [`2a86496`](sparklemotion/nokogiri@2a86496) add suppressions for ruby 2.7
- [`dca794a`](sparklemotion/nokogiri@dca794a) update CHANGELOG with correct release date for v1.10.4
- [`077e010`](sparklemotion/nokogiri@077e010) update rake-compiler commands to install bundler
- [`beb832e`](sparklemotion/nokogiri@beb832e) version bump to v1.10.4
- [`5d30128`](sparklemotion/nokogiri@5d30128) Merge branch '1915-css-tokenizer-load-file-vulnerability_v1.10.x' into v1.10.x
- [`c86b5fc`](sparklemotion/nokogiri@c86b5fc) update CHANGELOG
- Additional commits viewable in [compare view](sparklemotion/nokogiri@v1.8.0...v1.10.5)
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=nokogiri&package-manager=bundler&previous-version=1.8.0&new-version=1.10.5)](https://help.github.com/articles/configuring-automated-security-fixes)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

 ---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `dependabot rebase` will rebase this PR
- `dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `dependabot merge` will merge this PR after your CI passes on it
- `dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `dependabot cancel merge` will cancel a previously requested merge and block automerging
- `dependabot reopen` will reopen this PR if it is closed
- `dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/facebook/watchman/network/alerts).

</details>
Pull Request resolved: #757

Differential Revision: D18281040

Pulled By: wez

fbshipit-source-id: d5bf78860f5bbdcc3b88ea12a6533511e4405938
sinsoku added a commit to sinsoku/wovnrb that referenced this issue Nov 30, 2019
d-leclere added a commit to d-leclere/github-slideshow that referenced this issue Dec 10, 2019
d-leclere added a commit to d-leclere/github-slideshow that referenced this issue Dec 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.