-
-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update vendored libxml2 to include latest USN addressed by Canonical in USN-2812-1 #1374
Comments
@larskanis is preparing the patches |
This fixes issue #1374 and the following CVEs: CVE-2015-1819 CVE-2015-7941_1 CVE-2015-7941_2 CVE-2015-7942 CVE-2015-7942-2 CVE-2015-8035 CVE-2015-7995
@larskanis - for some reason on my local dev machine, the new patches aren't being processed during |
Ah, I see why -- since 1.6.6.2 we moved the patches from |
Is building now 👍, will commit changes to |
@flavorjones And I just wondered why I'm not allowed to push the fix of the path... May I build the Windows binaries? |
@larskanis I think I can take it from here. I'm running valgrind before shipping, because I'm not sure exactly what's changed under the hood in libxml2. Once those complete, and assuming nothing new comes up, I'm happy to pair with you on building the windows binaries, though it may not be too relevant because the 1.6.6.2 branch is still using the rake-compiler-dev-box (and not the shiny new docker stuff). |
@larskanis You could port the commits you and I made to master, if you like. We can put those into a 1.6.7rc. |
This fixes issue #1374 and the following CVEs: CVE-2015-1819 CVE-2015-7941_1 CVE-2015-7941_2 CVE-2015-7942 CVE-2015-7942-2 CVE-2015-8035 CVE-2015-7995
I pushed the one relevant commit to master. The other two are not necessary. If you still have a rake-compiler-dev-box available, you could build the windows gems. I would use the rake-compiler-dock in interactive mode (the resulting binaries are the same). However for today I must say goodbye. If you have any issues with the windows build, leave a comment - I'll address this tomorrow. |
@larskanis Well, actually the Manifest.txt commit is necessary to be ported to master, but I'll do it. That file controls what's packaged in the gem when it's built. |
@larskanis Thanks for your help! Will ping you if I don't finish everything today. |
1.6.6.3 has been released. |
- Our 'rake' process runs bundle-audit, which checks for any security advisories in the ruby-advisory-db database. - In this case, it found that nokogiri 1.6.6.2 has vulnerability advisory CVE-2015-1819, "Nokogiri gem contains several vulnerabilities in libxml2 and libxslt". See: sparklemotion/nokogiri#1374
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt sparklemotion/nokogiri#1374
Previous version of Nokogiri failed the build due to security vulnerability. Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4
* To fix Travis build (security concern w old version) * Source: sparklemotion/nokogiri#1374
Problem: Running `bundler-audit` reveals a security vulnerability in Nokogiri, which can be traced back to a libxml2 vulnerability. ``` $ bundle-audit Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Vulnerabilities found! ``` Solution: Update nokogiri to `~> 1.6.6.4`, as suggested. References: https://github.com/rubysec/bundler-audit sparklemotion/nokogiri#1374 http://www.ubuntu.com/usn/usn-2812-1/
Problem: Running `bundler-audit` reveals a security vulnerability in Nokogiri, which can be traced back to a libxml2 vulnerability. ``` $ bundle-audit Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Vulnerabilities found! ``` Solution: Update nokogiri to `~> 1.6.6.4`, as suggested. Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify the nokogiri version for the test bundler group, which already depends on it. References: https://github.com/rubysec/bundler-audit sparklemotion/nokogiri#1374 http://www.ubuntu.com/usn/usn-2812-1/ Only use nokogiri in test bundler group Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify nokogiri for bundler groups that already depend on it.
``` Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 ```
This fixes two CVEs: ``` Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1 ```
Updates four vulnerable gems, as reported by the `bundler-audit` gem. - [X] activesupport - [X] nokogiri - [X] rack - [X] rest-client $ bundle-audit check Name: activesupport Version: 4.0.13 Advisory: CVE-2015-3227 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk Title: Possible Denial of Service attack in Active Support Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.1 Advisory: 118481 Criticality: Unknown URL: sparklemotion/nokogiri#1087 Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS Solution: upgrade to >= 1.6.3 Name: rack Version: 1.5.2 Advisory: CVE-2015-3225 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc Title: Potential Denial of Service Vulnerability in Rack Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6 Name: rest-client Version: 1.6.7 Advisory: CVE-2015-1820 Criticality: Unknown URL: rest-client/rest-client#369 Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses Solution: upgrade to >= 1.8.0 Name: rest-client Version: 1.6.7 Advisory: CVE-2015-3448 Criticality: Unknown URL: http://www.osvdb.org/show/osvdb/117461 Title: Rest-Client Gem for Ruby logs password information in plaintext Solution: upgrade to >= 1.7.3 Vulnerabilities found!
Updates four vulnerable gems, as reported by the `bundler-audit` gem. - [X] activesupport - [X] nokogiri - [X] rack - [X] rest-client ``` $ bundle-audit check Name: activesupport Version: 4.0.13 Advisory: CVE-2015-3227 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk Title: Possible Denial of Service attack in Active Support Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.1 Advisory: 118481 Criticality: Unknown URL: sparklemotion/nokogiri#1087 Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS Solution: upgrade to >= 1.6.3 Name: rack Version: 1.5.2 Advisory: CVE-2015-3225 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc Title: Potential Denial of Service Vulnerability in Rack Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6 Name: rest-client Version: 1.6.7 Advisory: CVE-2015-1820 Criticality: Unknown URL: rest-client/rest-client#369 Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses Solution: upgrade to >= 1.8.0 Name: rest-client Version: 1.6.7 Advisory: CVE-2015-3448 Criticality: Unknown URL: http://www.osvdb.org/show/osvdb/117461 Title: Rest-Client Gem for Ruby logs password information in plaintext Solution: upgrade to >= 1.7.3 Vulnerabilities found! ```
Version: 1.6.5 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.5 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2 Name: nokogiri Version: 1.6.5 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1
Name: nokogiri Version: 1.5.11 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.5.11 Advisory: 118481 Criticality: Unknown URL: sparklemotion/nokogiri#1087 Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS Solution: upgrade to >= 1.6.3
$ bundle-audit Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1 Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2
Version: 1.6.6.1 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-8806 Criticality: Unknown URL: sparklemotion/nokogiri#1473 Title: Denial of service or RCE from libxml2 and libxslt Solution: upgrade to >= 1.6.8 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1
Version: 1.6.6.1 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-8806 Criticality: Unknown URL: sparklemotion/nokogiri#1473 Title: Denial of service or RCE from libxml2 and libxslt Solution: upgrade to >= 1.6.8 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2 Name: nokogiri Version: 1.6.6.1 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1
Nokogiri needed to get updated (security issues) Name: nokogiri Version: 1.6.5 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.5 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1 Name: nokogiri Version: 1.6.5 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2
Problem: Running `bundler-audit` reveals a security vulnerability in Nokogiri, which can be traced back to a libxml2 vulnerability. ``` $ bundle-audit Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Vulnerabilities found! ``` Solution: Update nokogiri to `~> 1.6.6.4`, as suggested. Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify the nokogiri version for the test bundler group, which already depends on it. References: https://github.com/rubysec/bundler-audit sparklemotion/nokogiri#1374 http://www.ubuntu.com/usn/usn-2812-1/ Only use nokogiri in test bundler group Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify nokogiri for bundler groups that already depend on it.
Problem: Running `bundler-audit` reveals a security vulnerability in Nokogiri, which can be traced back to a libxml2 vulnerability. ``` $ bundle-audit Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Vulnerabilities found! ``` Solution: Update nokogiri to `~> 1.6.6.4`, as suggested. Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify the nokogiri version for the test bundler group, which already depends on it. References: https://github.com/rubysec/bundler-audit sparklemotion/nokogiri#1374 http://www.ubuntu.com/usn/usn-2812-1/ Only use nokogiri in test bundler group Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify nokogiri for bundler groups that already depend on it.
Problem: Running `bundler-audit` reveals a security vulnerability in Nokogiri, which can be traced back to a libxml2 vulnerability. ``` $ bundle-audit Name: nokogiri Version: 1.6.6.2 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Vulnerabilities found! ``` Solution: Update nokogiri to `~> 1.6.6.4`, as suggested. Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify the nokogiri version for the test bundler group, which already depends on it. References: https://github.com/rubysec/bundler-audit sparklemotion/nokogiri#1374 http://www.ubuntu.com/usn/usn-2812-1/ Only use nokogiri in test bundler group Nokogiri is a dependency of capybara, which is a dependency of poltergeist. We only need to specify nokogiri for bundler groups that already depend on it.
Context:
The relevant commits are:
I'd like to get these patches merged if necessary and release as v1.6.6.3 as soon as possible.
The text was updated successfully, but these errors were encountered: