dep: [security] bump nokogiri from 1.13.9 to 1.13.10
Bumps nokogiri from 1.13.9 to 1.13.10. This update includes a security fix.
Vulnerabilities fixed
Unchecked return value from xmlTextReaderExpand
Summary
Nokogiri
1.13.8, 1.13.9fails to check the return value fromxmlTextReaderExpandin the methodNokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.For applications using
XML::Readerto parse untrusted inputs, this may potentially be a vector for a denial of service attack.Mitigation
Upgrade to Nokogiri
>= 1.13.10.Users may be able to search their code for calls to either
XML::Reader#attributesorXML::Reader#attribute_hashto determine if they are affected.Severity
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
... (truncated)
Patched versions: 1.13.10 Affected versions: >= 1.13.8, < 1.13.10
Release notes
Sourced from nokogiri's releases.
1.13.10 / 2022-12-07
Security
- [CRuby] Address CVE-2022-23476, unchecked return value from
xmlTextReaderExpand. See GHSA-qv4q-mr5r-qprj for more information.Improvements
- [CRuby]
XML::Reader#attribute_hashnow returnsnilon parse errors. This restores the behavior of#attributesfrom v1.13.7 and earlier. [#2715]
sha256 checksums:
777ce2e80f64772e91459b943e531dfef387e768f2255f9bc7a1655f254bbaa1 nokogiri-1.13.10-aarch64-linux.gem b432ff47c51386e07f7e275374fe031c1349e37eaef2216759063bc5fa5624aa nokogiri-1.13.10-arm64-darwin.gem 73ac581ddcb680a912e92da928ffdbac7b36afd3368418f2cee861b96e8c830b nokogiri-1.13.10-java.gem 916aa17e624611dddbf2976ecce1b4a80633c6378f8465cff0efab022ebc2900 nokogiri-1.13.10-x64-mingw-ucrt.gem 0f85a1ad8c2b02c166a6637237133505b71a05f1bb41b91447005449769bced0 nokogiri-1.13.10-x64-mingw32.gem 91fa3a8724a1ce20fccbd718dafd9acbde099258183ac486992a61b00bb17020 nokogiri-1.13.10-x86-linux.gem d6663f5900ccd8f72d43660d7f082565b7ffcaade0b9a59a74b3ef8791034168 nokogiri-1.13.10-x86-mingw32.gem 81755fc4b8130ef9678c76a2e5af3db7a0a6664b3cba7d9fe8ef75e7d979e91b nokogiri-1.13.10-x86_64-darwin.gem 51d5246705dedad0a09b374d09cc193e7383a5dd32136a690a3cd56e95adf0a3 nokogiri-1.13.10-x86_64-linux.gem d3ee00f26c151763da1691c7fc6871ddd03e532f74f85101f5acedc2d099e958 nokogiri-1.13.10.gem
Changelog
Sourced from nokogiri's changelog.
1.13.10 / 2022-12-07
Security
- [CRuby] Address CVE-2022-23476, unchecked return value from
xmlTextReaderExpand. See GHSA-qv4q-mr5r-qprj for more information.Improvements
- [CRuby]
XML::Reader#attribute_hashnow returnsnilon parse errors. This restores the behavior of#attributesfrom v1.13.7 and earlier. [#2715]
Commits
-
4c80121version bump to v1.13.10 -
85410e3Merge pull request #2715 from sparklemotion/flavorjones-fix-reader-error-hand... -
9fe0761fix(cruby): XML::Reader#attribute_hash returns nil on error -
3b9c736Merge pull request #2717 from sparklemotion/flavorjones-lock-psych-to-fix-bui... -
2efa87btest: skip large cdata test on system libxml2 -
3187d67dep(dev): pin psych to v4 until v5 builds in CI -
a16b4bfstyle(rubocop): disable Minitest/EmptyLineBeforeAssertionMethods - See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
@dependabot-bot rebasewill rebase this MR -
@dependabot-bot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts
Allure report
allure-report-publisher generated test report!
rspec:
+------------------------------------------------------------------+
| behaviors summary |
+-------------+--------+--------+---------+-------+-------+--------+
| | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| jobs | 14 | 0 | 0 | 0 | 14 | ✅ |
| controllers | 25 | 0 | 0 | 0 | 25 | ✅ |
| services | 181 | 0 | 0 | 0 | 181 | ✅ |
| models | 4 | 0 | 0 | 0 | 4 | ✅ |
| tasks | 9 | 0 | 0 | 0 | 9 | ✅ |
| system | 10 | 0 | 0 | 0 | 10 | ✅ |
+-------------+--------+--------+---------+-------+-------+--------+
| Total | 243 | 0 | 0 | 0 | 243 | ✅ |
+-------------+--------+--------+---------+-------+-------+--------+