Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Nokogiri for a security patch #294

Merged
merged 1 commit into from
Dec 5, 2015
Merged

Update Nokogiri for a security patch #294

merged 1 commit into from
Dec 5, 2015

Conversation

c-lliope
Copy link
Contributor

@c-lliope c-lliope commented Dec 5, 2015

Problem:

Running bundler-audit reveals a security vulnerability in Nokogiri,
which can be traced back to a libxml2 vulnerability.

$ bundle-audit
Name: nokogiri
Version: 1.6.6.2
Advisory: CVE-2015-1819
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

Vulnerabilities found!

Solution:

Update nokogiri to ~> 1.6.6.4, as suggested.

Nokogiri is a dependency of capybara,
which is a dependency of poltergeist.

We only need to specify the nokogiri version for the test bundler group, which already depends on it.

References:

https://github.com/rubysec/bundler-audit
sparklemotion/nokogiri#1374
http://www.ubuntu.com/usn/usn-2812-1/

@c-lliope c-lliope mentioned this pull request Dec 5, 2015
Closed
@tute
Copy link
Contributor

tute commented Dec 5, 2015

👍

@c-lliope
Update Nokogiri for a security patch
12e0db4 
Problem:

Running `bundler-audit` reveals a security vulnerability in Nokogiri,
which can be traced back to a libxml2 vulnerability.

```
$ bundle-audit
Name: nokogiri
Version: 1.6.6.2
Advisory: CVE-2015-1819
Criticality: Unknown
URL: sparklemotion/nokogiri#1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

Vulnerabilities found!
```

Solution:

Update nokogiri to `~> 1.6.6.4`, as suggested.

Nokogiri is a dependency of capybara,
which is a dependency of poltergeist.

We only need to specify the nokogiri version for the test bundler group,
which already depends on it.

References:

https://github.com/rubysec/bundler-audit
sparklemotion/nokogiri#1374
http://www.ubuntu.com/usn/usn-2812-1/

Only use nokogiri in test bundler group

Nokogiri is a dependency of capybara,
which is a dependency of poltergeist.
We only need to specify nokogiri for bundler groups that already depend
on it.
@c-lliope
Copy link
Contributor Author

c-lliope commented Dec 5, 2015

Thanks, @tute!

@c-lliope c-lliope closed this Dec 5, 2015
@c-lliope c-lliope deleted the gw-update-nokogiri branch December 5, 2015 17:10
@c-lliope c-lliope merged commit 12e0db4 into master Dec 5, 2015
@c-lliope c-lliope removed the In Review label Dec 5, 2015
This was referenced Dec 7, 2015
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@c-lliope @tute