[Security] Bump nokogiri from 1.13.8 to 1.15.2

Bumps nokogiri from 1.13.8 to 1.15.2. This update includes security fixes.

Vulnerabilities fixed

Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

... (truncated)

Patched versions: 1.13.10 Affected versions: >= 1.13.8, < 1.13.10

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs

Summary

Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to v2.10.3 from v2.9.14.

libxml2 v2.10.3 addresses the following known vulnerabilities:

• CVE-2022-2309
• CVE-2022-40304
• CVE-2022-40303

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.9, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.9.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.3 which will also address these same issues.

... (truncated)

Patched versions: 1.13.9 Affected versions: < 1.13.9

Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs

Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

• CVE-2023-29469: Hashing of empty dict strings isn't deterministic
• CVE-2023-28484: Fix null deref in xmlSchemaFixupComplexType
• Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.14.3.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these same issues.

... (truncated)

Patched versions: 1.14.3 Affected versions: < 1.14.3

Release notes

Sourced from nokogiri's releases.

1.15.2 / 2023-05-24

Dependencies

• [JRuby] Vendored org.nokogiri:nekodtd is updated to v0.1.11.noko2. This is functionally equivalent to v0.1.11.noko1 but restores support for Java 8.

Fixed

• [JRuby] Java 8 support is restored, fixing a regression present in v1.14.0..v1.14.4 and v1.15.0..v1.15.1. [#2887]

---

sha256 checksums:

497c698f0cc0f283934c9c93064249d113408e97e5f3677b0b5111af24a67c29  nokogiri-1.15.2-aarch64-linux.gem
505ad4b80cedd12bc3c53065079cc825e7f3d4094ca7b54176ae6f3734dbe2cc  nokogiri-1.15.2-arm-linux.gem
bbedeaf45ce1494f51806e5fab0d31816fc4584f8e2ec757dd516b9b30847ee4  nokogiri-1.15.2-arm64-darwin.gem
b15ba3c1aa5b3726d7aceb44f635250653467c5b0d04248fa0f6a6afc6515fb0  nokogiri-1.15.2-java.gem
bc3cc9631c9dd7a74a59554215474da657f956ccb126391d082a2a8c45d3ee14  nokogiri-1.15.2-x64-mingw-ucrt.gem
1fd27732b161a497275798e502b31e97dfe1ab58aac02c0d6ace9cbe1fd6a38c  nokogiri-1.15.2-x64-mingw32.gem
931383c6351d79903149b5c6a988e88daada59d7069f3a01b4dcf6730d411cc6  nokogiri-1.15.2-x86-linux.gem
3f4a6350ca1d87d185f4bf509d953820c7191d1cf4213cc3bac9c492b9b4a720  nokogiri-1.15.2-x86-mingw32.gem
b57eeec09ee1c4010e317f50d2897fb9c1133d02598260db229e81127b337930  nokogiri-1.15.2-x86_64-darwin.gem
5bca696b9283ad7ce97b9c0dfdf029a62c26e92f39f440a65795e377d44f119a  nokogiri-1.15.2-x86_64-linux.gem
20dc800b8fbe4c4f4b5b164e6aa3ab82a371bcb27eb685c166961c34dd8a22d7  nokogiri-1.15.2.gem

1.15.1 / 2023-05-19

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.11.4 from v2.11.3. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4

Fixed

• [CRuby] The libxml2 update fixes an encoding regression when push-parsing UTF-8 sequences. [#2882, upstream issue and commit]

---

sha256 checksums:

a5d622a36d67c5296cf892871501abf0ca168056276d6c52519254cc05e2ed8e  nokogiri-1.15.1-aarch64-linux.gem
ccc3b40e1f75e683107c78d0c77503df6520c614a0ea145743e929e492459662  nokogiri-1.15.1-arm-linux.gem
6d2ea3421f05dbd761017de1a16eae0fd83fbacf344310050796e674598ad711  nokogiri-1.15.1-arm64-darwin.gem
123c0c2f8e4bdb5b4bb42a2048ac3683b11b37d1778b804e4cb71c8fc7422d00  nokogiri-1.15.1-java.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

1.15.2 / 2023-05-24

Dependencies

• [JRuby] Vendored org.nokogiri:nekodtd is updated to v0.1.11.noko2. This is functionally equivalent to v0.1.11.noko1 but restores support for Java 8.

Fixed

• [JRuby] Java 8 support is restored, fixing a regression present in v1.14.0..v1.14.4 and v1.15.0..v1.15.1. [#2887]

1.15.1 / 2023-05-19

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.11.4 from v2.11.3. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4

Fixed

• [CRuby] The libxml2 update fixes an encoding regression when push-parsing UTF-8 sequences. [#2882, upstream issue and commit]

1.15.0 / 2023-05-15

Notes

Ability to opt into system malloc and free

Since 2009, Nokogiri has configured libxml2 to use ruby_xmalloc et al for memory management. This has provided benefits for memory management, but comes with a performance penalty.

Users can now opt into using system malloc for libxml2 memory management by setting an environment variable:

# "default" here means "libxml2's default" which is system malloc
NOKOGIRI_LIBXML_MEMORY_MANAGEMENT=default

Benchmarks show that this setting will significantly improve performance, but be aware that the tradeoff may involve poorer memory management including bloated heap sizes and/or OOM conditions.

You can read more about this in the decision record at https://github.com/sparklemotion/nokogiri/blob/main/adr/2023-04-libxml-memory-management.md.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.11.3 from v2.10.4. For details please see:
  • https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.0
  • https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.1
  • https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.2

... (truncated)

Commits

• a6ad20b version bump to v1.15.2
• 4b715d4 doc: update CHANGELOG for v1.14.5
• e1f84d8 Merge pull request #2889 from sparklemotion/flavorjones-test-java8
• fc01685 dep: update org.nokogiri:nekodtd to v0.1.11.noko2
• ff2c996 ci: test installed gem on java 8
• 18d4de4 Merge pull request #2886 from sparklemotion/dependabot/bundler/rubocop-perfor...
• 25728d9 build(deps-dev): update rubocop-performance requirement
• 25b2166 version bump to v1.15.1
• a37327e Merge pull request #2883 from sparklemotion/flavorjones-upgrade-libxml2-2.11.4
• 93fd5ec dep: update libxml2 to v2.11.4
• Additional commits viewable in compare view