Update vendored libxml2 to include latest USN addressed by Canonical in USN-2812-1 #1374
Labels
Comments
|
@larskanis is preparing the patches |
larskanis
added a commit
that referenced
this issue
Nov 16, 2015
This fixes issue #1374 and the following CVEs: CVE-2015-1819 CVE-2015-7941_1 CVE-2015-7941_2 CVE-2015-7942 CVE-2015-7942-2 CVE-2015-8035 CVE-2015-7995
|
@larskanis - for some reason on my local dev machine, the new patches aren't being processed during |
|
Ah, I see why -- since 1.6.6.2 we moved the patches from |
|
Is building now 👍, will commit changes to |
|
@flavorjones And I just wondered why I'm not allowed to push the fix of the path... May I build the Windows binaries? |
|
@larskanis I think I can take it from here. I'm running valgrind before shipping, because I'm not sure exactly what's changed under the hood in libxml2. Once those complete, and assuming nothing new comes up, I'm happy to pair with you on building the windows binaries, though it may not be too relevant because the 1.6.6.2 branch is still using the rake-compiler-dev-box (and not the shiny new docker stuff). |
|
@larskanis You could port the commits you and I made to master, if you like. We can put those into a 1.6.7rc. |
larskanis
added a commit
that referenced
this issue
Nov 16, 2015
This fixes issue #1374 and the following CVEs: CVE-2015-1819 CVE-2015-7941_1 CVE-2015-7941_2 CVE-2015-7942 CVE-2015-7942-2 CVE-2015-8035 CVE-2015-7995
|
I pushed the one relevant commit to master. The other two are not necessary. If you still have a rake-compiler-dev-box available, you could build the windows gems. I would use the rake-compiler-dock in interactive mode (the resulting binaries are the same). However for today I must say goodbye. If you have any issues with the windows build, leave a comment - I'll address this tomorrow. |
|
@larskanis Well, actually the Manifest.txt commit is necessary to be ported to master, but I'll do it. That file controls what's packaged in the gem when it's built. |
|
@larskanis Thanks for your help! Will ping you if I don't finish everything today. |
|
1.6.6.3 has been released. |
kerchner
added a commit
to gwu-libraries/scholarspace
that referenced
this issue
Nov 17, 2015
david-a-wheeler
added a commit
to coreinfrastructure/best-practices-badge
that referenced
this issue
Nov 27, 2015
- Our 'rake' process runs bundle-audit, which checks for any
security advisories in the ruby-advisory-db database.
- In this case, it found that nokogiri 1.6.6.2 has vulnerability
advisory CVE-2015-1819, "Nokogiri gem contains
several vulnerabilities in libxml2 and libxslt". See:
sparklemotion/nokogiri#1374
timurvafin
added a commit
to fs/rails-base
that referenced
this issue
Nov 27, 2015
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt sparklemotion/nokogiri#1374
sikachu
added a commit
to houndci/hound
that referenced
this issue
Nov 30, 2015
Previous version of Nokogiri failed the build due to security
vulnerability.
Name: nokogiri
Version: 1.6.6.2
Advisory: CVE-2015-1819
Criticality: Unknown
URL: sparklemotion/nokogiri#1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4
jessieay
pushed a commit
to 18F/dolores-landingham-slack-bot
that referenced
this issue
Dec 1, 2015
* To fix Travis build (security concern w old version) * Source: sparklemotion/nokogiri#1374
c-lliope
added a commit
to thoughtbot/administrate
that referenced
this issue
Dec 5, 2015
Problem: Running `bundler-audit` reveals a security vulnerability in Nokogiri, which can be traced back to a libxml2 vulnerability. ``` $ bundle-audit Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Vulnerabilities found! ``` Solution: Update nokogiri to `~> 1.6.6.4`, as suggested. References: https://github.com/rubysec/bundler-audit sparklemotion/nokogiri#1374 http://www.ubuntu.com/usn/usn-2812-1/
c-lliope
added a commit
to thoughtbot/administrate
that referenced
this issue
Dec 5, 2015
Problem: Running `bundler-audit` reveals a security vulnerability in Nokogiri, which can be traced back to a libxml2 vulnerability. ``` $ bundle-audit Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Vulnerabilities found! ``` Solution: Update nokogiri to `~> 1.6.6.4`, as suggested. Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify the nokogiri version for the test bundler group, which already depends on it. References: https://github.com/rubysec/bundler-audit sparklemotion/nokogiri#1374 http://www.ubuntu.com/usn/usn-2812-1/ Only use nokogiri in test bundler group Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify nokogiri for bundler groups that already depend on it.
grosser
added a commit
to zendesk/samson
that referenced
this issue
Dec 13, 2015
``` Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 ```
greygoo
added a commit
to SUSE/machinery
that referenced
this issue
Dec 17, 2015
derekprior
added a commit
to thoughtbot/upcase
that referenced
this issue
Jan 13, 2016
This fixes two CVEs: ``` Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1 ```
sophomoric
pushed a commit
to sophomoric/secret
that referenced
this issue
Jan 18, 2016
Koronen
added a commit
to stringer-rss/stringer
that referenced
this issue
Jan 24, 2016
Updates four vulnerable gems, as reported by the `bundler-audit` gem.
- [X] activesupport
- [X] nokogiri
- [X] rack
- [X] rest-client
$ bundle-audit check
Name: activesupport
Version: 4.0.13
Advisory: CVE-2015-3227
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Title: Possible Denial of Service attack in Active Support
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22
Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-5312
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
Title: Nokogiri gem contains several vulnerabilities in libxml2
Solution: upgrade to >= 1.6.7.1
Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-7499
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in
libxml2
Solution: upgrade to >= 1.6.7.2
Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-1819
Criticality: Unknown
URL: sparklemotion/nokogiri#1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4
Name: nokogiri
Version: 1.6.1
Advisory: 118481
Criticality: Unknown
URL: sparklemotion/nokogiri#1087
Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory
Consumption
Remote DoS
Solution: upgrade to >= 1.6.3
Name: rack
Version: 1.5.2
Advisory: CVE-2015-3225
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
Title: Potential Denial of Service Vulnerability in Rack
Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6
Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie
headers in 30x redirection responses
Solution: upgrade to >= 1.8.0
Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3
Vulnerabilities found!
Koronen
added a commit
to stringer-rss/stringer
that referenced
this issue
Jan 24, 2016
Updates four vulnerable gems, as reported by the `bundler-audit` gem. - [X] activesupport - [X] nokogiri - [X] rack - [X] rest-client ``` $ bundle-audit check Name: activesupport Version: 4.0.13 Advisory: CVE-2015-3227 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk Title: Possible Denial of Service attack in Active Support Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.1 Advisory: 118481 Criticality: Unknown URL: sparklemotion/nokogiri#1087 Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS Solution: upgrade to >= 1.6.3 Name: rack Version: 1.5.2 Advisory: CVE-2015-3225 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc Title: Potential Denial of Service Vulnerability in Rack Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6 Name: rest-client Version: 1.6.7 Advisory: CVE-2015-1820 Criticality: Unknown URL: rest-client/rest-client#369 Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses Solution: upgrade to >= 1.8.0 Name: rest-client Version: 1.6.7 Advisory: CVE-2015-3448 Criticality: Unknown URL: http://www.osvdb.org/show/osvdb/117461 Title: Rest-Client Gem for Ruby logs password information in plaintext Solution: upgrade to >= 1.7.3 Vulnerabilities found! ```
CloCkWeRX
added a commit
to CloCkWeRX/growstuff
that referenced
this issue
Mar 28, 2016
Version: 1.6.5 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.5 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2 Name: nokogiri Version: 1.6.5 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1
CloCkWeRX
added a commit
to CloCkWeRX/planningalerts-app
that referenced
this issue
Apr 2, 2016
Name: nokogiri Version: 1.5.11 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.5.11 Advisory: 118481 Criticality: Unknown URL: sparklemotion/nokogiri#1087 Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS Solution: upgrade to >= 1.6.3
dentarg
added a commit
to dentarg/skuld
that referenced
this issue
May 19, 2016
$ bundle-audit
Name: nokogiri
Version: 1.6.6.2
Advisory: CVE-2015-1819
Criticality: Unknown
URL: sparklemotion/nokogiri#1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and
libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4
Name: nokogiri
Version: 1.6.6.2
Advisory: CVE-2015-5312
Criticality: High
URL:
https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
Title: Nokogiri gem contains several vulnerabilities in libxml2
Solution: upgrade to >= 1.6.7.1
Name: nokogiri
Version: 1.6.6.2
Advisory: CVE-2015-7499
Criticality: Medium
URL:
https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
Title: Nokogiri gem contains a heap-based buffer overflow vulnerability
in libxml2
Solution: upgrade to >= 1.6.7.2
CloCkWeRX
added a commit
to CloCkWeRX/OpenFarm
that referenced
this issue
Sep 14, 2016
Version: 1.6.6.1 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-8806 Criticality: Unknown URL: sparklemotion/nokogiri#1473 Title: Denial of service or RCE from libxml2 and libxslt Solution: upgrade to >= 1.6.8 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1
TanSA05
pushed a commit
to TanSA05/OpenFarm
that referenced
this issue
Sep 29, 2016
Version: 1.6.6.1 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-8806 Criticality: Unknown URL: sparklemotion/nokogiri#1473 Title: Denial of service or RCE from libxml2 and libxslt Solution: upgrade to >= 1.6.8 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1
jage
added a commit
to Starkast/wikimum
that referenced
this issue
Dec 13, 2016
Nokogiri needed to get updated (security issues) Name: nokogiri Version: 1.6.5 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.5 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1 Name: nokogiri Version: 1.6.5 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2
svqualitydev
pushed a commit
to svqualitydev/admin-cms
that referenced
this issue
Dec 16, 2019
Problem: Running `bundler-audit` reveals a security vulnerability in Nokogiri, which can be traced back to a libxml2 vulnerability. ``` $ bundle-audit Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Vulnerabilities found! ``` Solution: Update nokogiri to `~> 1.6.6.4`, as suggested. Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify the nokogiri version for the test bundler group, which already depends on it. References: https://github.com/rubysec/bundler-audit sparklemotion/nokogiri#1374 http://www.ubuntu.com/usn/usn-2812-1/ Only use nokogiri in test bundler group Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify nokogiri for bundler groups that already depend on it.
KingTiger001
added a commit
to KingTiger001/admin-Rails-project
that referenced
this issue
Jan 15, 2023
Problem: Running `bundler-audit` reveals a security vulnerability in Nokogiri, which can be traced back to a libxml2 vulnerability. ``` $ bundle-audit Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Vulnerabilities found! ``` Solution: Update nokogiri to `~> 1.6.6.4`, as suggested. Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify the nokogiri version for the test bundler group, which already depends on it. References: https://github.com/rubysec/bundler-audit sparklemotion/nokogiri#1374 http://www.ubuntu.com/usn/usn-2812-1/ Only use nokogiri in test bundler group Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify nokogiri for bundler groups that already depend on it.
couponsdiscountspromocodesdiscounts
added a commit
to couponsdiscountspromocodesdiscounts/administrate
that referenced
this issue
Aug 16, 2024
Problem: Running `bundler-audit` reveals a security vulnerability in Nokogiri, which can be traced back to a libxml2 vulnerability. ``` $ bundle-audit Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Vulnerabilities found! ``` Solution: Update nokogiri to `~> 1.6.6.4`, as suggested. Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify the nokogiri version for the test bundler group, which already depends on it. References: https://github.com/rubysec/bundler-audit sparklemotion/nokogiri#1374 http://www.ubuntu.com/usn/usn-2812-1/ Only use nokogiri in test bundler group Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify nokogiri for bundler groups that already depend on it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context:
The relevant commits are:
I'd like to get these patches merged if necessary and release as v1.6.6.3 as soon as possible.
The text was updated successfully, but these errors were encountered: