[Security] Bump nokogiri from 1.15.2 to 1.16.6 (!875) · Merge requests · HIFIS / Overall / hifis.net

HIFIS Bot requested to merge dependabot-bundler-nokogiri-1.16.6 into master Jun 19, 2024

Bumps nokogiri from 1.15.2 to 1.16.6. This update includes security fixes.

Vulnerabilities fixed

Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6

Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604

patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

... (truncated)

Patched versions: 1.15.6; 1.16.2 Affected versions: = 1.16.0, < 1.16.2

Use-after-free in libxml2 via Nokogiri::XML::Reader

Summary

Nokogiri upgrades its dependency libxml2 as follows:

v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6

v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604

patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Severity

... (truncated)

Patched versions: 1.16.2; 1.15.6 Affected versions: >= 1.16.0, < 1.16.2; < 1.15.6

Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720

patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced

2024-05-13 08:30 EDT, nokogiri maintainers begin triage

2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

Patched versions: 1.16.5 Affected versions: < 1.16.5

Release notes

Sourced from nokogiri's releases.

v1.16.6 / 2024-06-13

Dependencies

[CRuby] Vendored libxml2 is updated to v2.12.8, which the release notes state is a bugfix release.

sha256 checksums:

7f4c37ee2dd9c97fdfb6278cf3d9dd2078651f241eed320e26902135dbf78183  nokogiri-1.16.6-aarch64-linux.gem
73d7a7ca569308f181a234269e6607c9acb26ecc93ccbb05998d24a9546c0a94  nokogiri-1.16.6-arm-linux.gem
43e8a783697c65413408a4923b5c2ed6bea6632cfdab4da220446b601733fa4b  nokogiri-1.16.6-arm64-darwin.gem
993ec13a1f0fb2261913e62e1f7a662c77108b1a59c903033eac432f74437275  nokogiri-1.16.6-java.gem
285687f16c330a9b61793d9d45913becf7a9aa82b0ce15c48fc1e0d6c6c9972f  nokogiri-1.16.6-x64-mingw-ucrt.gem
dbbefbfabe363daaa90e7c0b15854769e17ee5b8ae243014e0e55c01047eb5cd  nokogiri-1.16.6-x64-mingw32.gem
dedac3ee38b4deed1141747f04dd5ac512ef9165259cec66ec934edaa8a2a848  nokogiri-1.16.6-x86-linux.gem
5080e9512e3ba320aef074c16a23aef737301ac0e3b7a173a299dcaaa40b6a20  nokogiri-1.16.6-x86-mingw32.gem
92fa413d866baf9b609f17558ecfbcf950d5373213babcf4ce11d7eaed4b21cf  nokogiri-1.16.6-x86_64-darwin.gem
769bd2c14ad76dd5a7e14c867741cf2e3b8c25626a34f40aee7b0b998b8de820  nokogiri-1.16.6-x86_64-linux.gem
935fe4dd67d4377f4a05002acb1ffbadbcae265ea8e7869fc40e3a8121f3e1ef  nokogiri-1.16.6.gem

v1.16.5 / 2024-05-13

Security

[CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

[CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@flavorjones)

sha256 checksums:

af0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem
23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem
950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem
b7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem
ec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem
6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem
abdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem
63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem
71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem
0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem
</tr></table>

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.6 / 2024-06-13

Dependencies

[CRuby] Vendored libxml2 is updated to v2.12.8, which the release notes state is a bugfix release.

v1.16.5 / 2024-05-13

Security

[CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

[CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@flavorjones)

v1.16.4 / 2024-04-10

Dependencies

[CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

v1.16.3 / 2024-03-15

Dependencies

[CRuby] Vendored libxml2 is updated to v2.12.6 from v2.12.5. (@flavorjones)

Changed

[CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

v1.16.2 / 2024-02-04

Security

[CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

[CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@flavorjones)

... (truncated)

Commits

fb833ea version bump to v1.16.6
bacc8dc dep: update libxml2 to 2.12.8 (backport to v1.16.x) (#3229)
cf0579f doc: update CHANGELOG
447fd12 dep: update libxml2 to 2.12.8
cd70bd3 version bump to v1.16.5
afc36de dep: update vendored libxml2 to v2.12.7 (#3191)
41b4f08 ci: add arm64-darwin coverage using macos-14
67b9e86 dep: update libxml2 to v2.12.7
17c0362 version bump to v1.16.4
1c329e9 dep: update to zlib 1.3.1 (v1.16.x) (#3175)
Additional commits viewable in compare view

[Security] Bump nokogiri from 1.15.2 to 1.16.6

Summary

Mitigation

Summary

Severity

Summary

Impact

Timeline

v1.16.6 / 2024-06-13

Dependencies

v1.16.5 / 2024-05-13

Security

Dependencies

v1.16.6 / 2024-06-13

Dependencies

v1.16.5 / 2024-05-13

Security

Dependencies

v1.16.4 / 2024-04-10

Dependencies

v1.16.3 / 2024-03-15

Dependencies

Changed

v1.16.2 / 2024-02-04

Security

Dependencies

Merge request reports