Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚨 [security] Update nokogiri 1.15.5 → 1.15.6 (patch) #1458

Merged
merged 1 commit into from
Mar 20, 2024

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Mar 19, 2024


🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ nokogiri (1.15.5 → 1.15.6) · Repo · Changelog

Security Advisories 🚨

🚨 Use-after-free in libxml2 via Nokogiri::XML::Reader

Summary

Nokogiri upgrades its dependency libxml2 as follows:

  • v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
  • v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062

Please note that this advisory only applies to the CRuby implementation
of Nokogiri, and only if the packaged libraries are being used. If
you've overridden defaults at installation time to use system libraries
instead of packaged libraries, you should instead pay attention to
your distro's libxml2 release announcements.

JRuby users are not affected.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Impact

From the CVE description, this issue applies to the xmlTextReader
module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and
XInclude expansion enabled, processing crafted XML documents
can lead to an xmlValidatePopElement use-after-free.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more
complicated mitigation: compile and link Nokogiri against patched
external libxml2 libraries which will also address these same issues.

Release Notes

1.15.6

1.15.6 / 2024-03-16

Note

This security release is a backport to the unsupported v1.15.x branch. Current stable is v1.16.x, which addressed the referenced CVE in v1.16.2 on 2024-02-04.

Security

Dependencies


sha256 checksums:

d79f713dffff149d60ab272d206a3ca96db2b891ab6a9f65362bfb78aface37a  gems/nokogiri-1.15.6-aarch64-linux.gem
62b5b7b387ec6c61c1ea5f889b7bc579eedd37f265f7cc1dc392484938549f1a  gems/nokogiri-1.15.6-arm-linux.gem
ba93c63f5c03047778abf16c80676fe67e7eb7d871ab0aaa7e2c2dfe4ec20027  gems/nokogiri-1.15.6-arm64-darwin.gem
d24639a546ba58c86d18da1ed124eaecbd45c5ae4c4dec41751b730a2b732ac3  gems/nokogiri-1.15.6-java.gem
e36887d89ec1b080e4a01dd2ff52650003db01d2a5edf5e6ab19e4c0bdb1385f  gems/nokogiri-1.15.6-x64-mingw-ucrt.gem
852c59a398499c8fcb6478d76396dcd50afa8f8902563b76265cd7dc90a731a1  gems/nokogiri-1.15.6-x64-mingw32.gem
19e0a5fbfa4393353fbcf6801f8f62350b6e16f43c907680c5884896858a23a2  gems/nokogiri-1.15.6-x86-linux.gem
9d464bbbaad6721a5a73181165fda67573f64ef2803c3337f6f733603e9d309a  gems/nokogiri-1.15.6-x86-mingw32.gem
32d045cdb0ce097e4543a5e7a79efd13ff05d904e32f4328732149dbea3c7f15  gems/nokogiri-1.15.6-x86_64-darwin.gem
26a79da0377100d6938ae2f1b115230a8a4a4595e35b89164d8495af32091186  gems/nokogiri-1.15.6-x86_64-linux.gem
70ce799b4b3e23b358501f1da3914f70b1c7a113fb12e96a7d53558481146e08  gems/nokogiri-1.15.6.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@hennevogel hennevogel merged commit dddfcf2 into master Mar 20, 2024
7 checks passed
@depfu depfu bot deleted the depfu/update/nokogiri-1.15.6 branch March 20, 2024 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant