Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-r58r-74gx-6wx3] Nokogiri gem, via libxml, is affected by DoS vulnerabilities #2655

Closed

Conversation

owst
Copy link

@owst owst commented Aug 26, 2023

Updates

  • Affected products

Comments
The nokogiri version is different to the underlying libxml version. As per this comment (and the following one) nokogiri 1.8.2 includes libxml 2.9.7 and thus addresses CVE-2017-15412

sparklemotion/nokogiri#1714 (comment)

@github-actions github-actions bot changed the base branch from main to owst/advisory-improvement-2655 August 26, 2023 10:40
@chadlwilson
Copy link
Contributor

chadlwilson commented Aug 26, 2023

Thanks @owst - this false positive noise must be on nearly every ruby project in the ecosystem.

Pretty frustrating lack of quality control here to get the versions all wrong given the noise it creates :(

The specific commit which confirms the fixed tag version is sparklemotion/nokogiri@1756096 from sparklemotion/nokogiri#1689 and sparklemotion/nokogiri#1688

@github-actions github-actions bot deleted the owst-GHSA-r58r-74gx-6wx3 branch August 26, 2023 12:31
@owst
Copy link
Author

owst commented Aug 26, 2023

Hmm, I'm not sure what's gone on here - this PR was closed without merging and no (obvious) other change was committed to correct the advisory. The PR was created via https://github.com/advisories/GHSA-r58r-74gx-6wx3/improve

@chadlwilson
Copy link
Contributor

I’m not sure either. The branch hijinx and bot automation here is a mystery to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants