Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Nokogiri because of security problems #285

Closed
wants to merge 1 commit into from
Closed

Update Nokogiri because of security problems #285

wants to merge 1 commit into from

Conversation

Marthyn
Copy link
Contributor

@Marthyn Marthyn commented Dec 2, 2015

In the CircleCi checks on my other PR #282 i saw that there are vulnerabilities for the current Nokogiri version in the Gemfile.lock

Name: nokogiri
Version: 1.6.6.2
Advisory: CVE-2015-1819
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

@Marthyn Marthyn mentioned this pull request Dec 2, 2015
Closed
@c-lliope c-lliope mentioned this pull request Dec 6, 2015
Closed
@c-lliope
Copy link
Contributor

c-lliope commented Dec 7, 2015

oh, damn. I didn't see this until just now, and I created and merged in #294 to do the same thing. I actually like this a bit better because it doesn't modify the Gemfile, but I don't think it's a big enough issue to change.

Thanks for your help!

@c-lliope c-lliope closed this Dec 7, 2015
c-lliope added a commit that referenced this pull request Dec 7, 2015
@c-lliope
Update Nokogiri to v 1.6.7
44399cd 
Problem:

Our app doesn't directly depend on nokogiri -
the test suite depends on Capybara,
which in turn depends on Nokogiri.

Because of this, we should not have `nokogiri`
referenced explicitly in our Gemfile.

Commit 12e0db4 upgraded nokogiri
by explicitly setting the desired version
in the Gemfile.

Solution:

Several PRs (#285, #293) have used a different approach
for upgrading Nokogiri, in order to get their build passing.

They ran `bundle update nokogiri`
without explicitly setting the desired version in the Gemfile.
The most recent version of nokogiri contains the required security fix,
so it solves the original problem.

This commit reverts the changes made in 12e0db4,
and updates nokogiri
using the standard `bundle update nokogiri` approach.
@c-lliope c-lliope mentioned this pull request Dec 7, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Marthyn @c-lliope