Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require nokogiri ~> 1.8.2 due to vulnerability in libxml2 #96

Merged
merged 1 commit into from
Jul 12, 2018
Merged

Require nokogiri ~> 1.8.2 due to vulnerability in libxml2 #96

merged 1 commit into from
Jul 12, 2018

Conversation

vvassiliouk
Copy link
Contributor

@vvassiliouk vvassiliouk commented Jul 9, 2018
edited
Loading

The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6 in version 1.8.2

It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.

More info from Nokogiri repo: sparklemotion/nokogiri#1714

We're also requiring ruby version >= 2.1 due to nokogiri

@vvassiliouk vvassiliouk requested a review from darnaut July 9, 2018 23:56
@vvassiliouk vvassiliouk force-pushed the airbnb/vvassiliouk/require-nokogiri-1.8.2 branch 3 times, most recently from 4a16697 to a8837fe Compare July 10, 2018 00:04
ljharb
ljharb approved these changes Jul 10, 2018
View reviewed changes
CHANGELOG.md Outdated
@@ -1,3 +1,6 @@
# 0.11.12
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typically version numbers aren't bumped in PRs; but rather on a commit directly to master. nbd tho

@vvassiliouk vvassiliouk force-pushed the airbnb/vvassiliouk/require-nokogiri-1.8.2 branch from a8837fe to ab3723e Compare July 10, 2018 00:20
@vvassiliouk
Copy link
Contributor Author

@darnaut @noggi Please take a look when possible.

@vvassiliouk vvassiliouk merged commit 5bbc81c into master Jul 12, 2018
@vvassiliouk vvassiliouk deleted the airbnb/vvassiliouk/require-nokogiri-1.8.2 branch July 12, 2018 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@noggi noggi noggi approved these changes

@darnaut darnaut darnaut approved these changes

@ljharb ljharb ljharb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vvassiliouk @ljharb @darnaut @noggi