🚨 [security] Update nokogiri: 1.8.4 → 1.8.5 (patch) (#20)

<hr>

🚨 <b>Your version of nokogiri has known security vulnerabilities</b> 🚨

Advisory: CVE-2018-14404
Disclosed: October 04, 2018
URL: [https://github.com/sparklemotion/nokogiri/issues/1785](https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785)

<details>
<summary>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</summary>
<blockquote>
  <p>Nokogiri 1.8.5 has been released.</p>
<p>This is a security and bugfix release. It addresses two CVEs in upstream<br>
libxml2 rated as "medium" by Red Hat, for which details are below.</p>
<p>If you're using your distro's system libraries, rather than Nokogiri's<br>
vendored libraries, there's no security need to upgrade at this time,<br>
though you may want to check with your distro whether they've patched this<br>
(Canonical has patched Ubuntu packages). Note that these patches are not<br>
yet (as of 2018-10-04) in an upstream release of libxml2.</p>
<p>Full details about the security update are available in Github Issue <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>.<br>
[<a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>]: <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a></p>
<hr>
<p>[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404<br>
and CVE-2018-14567. Full details are available in <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>. Note that these<br>
patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p>
<hr>
<p>CVE-2018-14404</p>
<p>Permalink:</p>
<p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14404.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html</a></p>
<p>Description:</p>
<p>A NULL pointer dereference vulnerability exists in the<br>
xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when<br>
parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR<br>
case. Applications processing untrusted XSL format inputs with the use of<br>
the libxml2 library may be vulnerable to a denial of service attack due<br>
to a crash of the application</p>
<p>Canonical rates this vulnerability as "Priority: Medium"</p>
<hr>
<p>CVE-2018-14567</p>
<p>Permalink:</p>
<p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14567.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html</a></p>
<p>Description:</p>
<p>infinite loop in LZMA decompression</p>
<p>Canonical rates this vulnerability as "Priority: Medium"</p>
</blockquote>
</details>
<br>
🚨 <b>We recommend to merge and deploy this update as soon as possible!</b> 🚨
<hr>


We've updated a dependency and here is what you need to know:

| name | version specification | old version | new version |
| --- | --- | --- | --- |
| nokogiri | _indirect dependency_ | 1.8.4 | 1.8.5 |



You should probably take a good look at the info here and the test results before merging this pull request, of course.

### What changed?


#### ↗️ nokogiri (_indirect_, 1.8.4 → 1.8.5) · [Repo](https://github.com/sparklemotion/nokogiri/) · [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)


<details>
<summary>Commits</summary>
<p><a href="https://github.com/sparklemotion/nokogiri/compare/254f3414811b6d2fff8b0630efe4ce8d29778fb6...e28fa4bb2ed6844c3c63f58062d034e7b99fc90c">See the full diff on Github</a>. The new version differs by 11 commits:</p>

<ul>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/e28fa4bb2ed6844c3c63f58062d034e7b99fc90c"><code>version bump to v1.8.5</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/712edef8a8c7fa593e09517891d336758af42cba"><code>update changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7feb4c167a9ae1ba4e87923597ba7e7b309b1713"><code>Merge branch &#39;fix-1773&#39;</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7cc6cf6a74bd718b46182f0e646b63ff0a00f728"><code>Organize imports in XmlNode.java.</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/169744261c5c023dff40de0811a826ad4d1fcc05"><code>Allow reparenting nodes to be a child of an empty document.</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7b8cd0f5b15a926e92c869b450dd6f71cdd17b61"><code>Merge pull request #1786 from sparklemotion/1785-canonical-usns</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/5bff4bb3f1692069c617f4333b2ccc5570f0f414"><code>pull in upstream libxml2 patches</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/c232226448a44bb81220d3750a6453a0aef88fb1"><code>changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/862b88f39264b7b5e223a63e3d4d0eeade4db9ff"><code>changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/b3750eb71e101287aa0e7a231232222c7213b3f3"><code>remove `-Wextra` CFLAG</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/91a63d55eb92ef0bcb141b6c094a28ef026eaf16"><code>add tests for pkg-config failure scenario</code></a></li>
</ul>
</details>




---
![Depfu Status](https://depfu.com/badges/0a723c09b68149a932bdb420ef5f5e4e/stats.svg)

[Depfu](https://depfu.com) will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`.

<details><summary>All Depfu comment commands</summary>
<blockquote><dl>
<dt>@​depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd>
<dt>@​depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd>
<dt>@​depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd>
<dt>@​depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd>
</dl></blockquote>
</details>

Gemfile.lock

@@ -109,7 +109,7 @@ GEM
     multi_json (1.13.1)
     multipart-post (2.0.0)
     nio4r (2.3.1)
-    nokogiri (1.8.4)
+    nokogiri (1.8.5)
       mini_portile2 (~> 2.3.0)
     orm_adapter (0.5.0)
     pg (0.21.0)