zync
zync copied to clipboard
Published
20 hours ago •
3scale
3scale
🚨 [security] Update nokogiri 1.15.3 → 1.15.6 (patch)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ nokogiri (indirect, 1.15.3 → 1.15.6) · Repo · Changelog
Security Advisories 🚨
🚨 Use-after-free in libxml2 via Nokogiri::XML::Reader
Summary
Nokogiri upgrades its dependency libxml2 as follows:
- v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
- v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4
libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
Please note that this advisory only applies to the CRuby implementation
of Nokogiri, and only if the packaged libraries are being used. If
you've overridden defaults at installation time to use system libraries
instead of packaged libraries, you should instead pay attention to
your distro's libxml2 release announcements.JRuby users are not affected.
Severity
The Nokogiri maintainers have evaluated this as Moderate.
Impact
From the CVE description, this issue applies to the
xmlTextReader
module (which underliesNokogiri::XML::Reader):When using the XML Reader interface with DTD validation and
XInclude expansion enabled, processing crafted XML documents
can lead to an xmlValidatePopElement use-after-free.Mitigation
Upgrade to Nokogiri
~> 1.15.6or>= 1.16.2.Users who are unable to upgrade Nokogiri may also choose a more
complicated mitigation: compile and link Nokogiri against patched
external libxml2 libraries which will also address these same issues.
Release Notes
1.15.6
1.15.6 / 2024-03-16
Note
This security release is a backport to the unsupported v1.15.x branch. Current stable is v1.16.x, which addressed the referenced CVE in v1.16.2 on 2024-02-04.
Security
- [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.
Dependencies
- [CRuby] Vendored libxml2 is updated to v2.11.7 from v2.11.6. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.7
sha256 checksums:
d79f713dffff149d60ab272d206a3ca96db2b891ab6a9f65362bfb78aface37a gems/nokogiri-1.15.6-aarch64-linux.gem 62b5b7b387ec6c61c1ea5f889b7bc579eedd37f265f7cc1dc392484938549f1a gems/nokogiri-1.15.6-arm-linux.gem ba93c63f5c03047778abf16c80676fe67e7eb7d871ab0aaa7e2c2dfe4ec20027 gems/nokogiri-1.15.6-arm64-darwin.gem d24639a546ba58c86d18da1ed124eaecbd45c5ae4c4dec41751b730a2b732ac3 gems/nokogiri-1.15.6-java.gem e36887d89ec1b080e4a01dd2ff52650003db01d2a5edf5e6ab19e4c0bdb1385f gems/nokogiri-1.15.6-x64-mingw-ucrt.gem 852c59a398499c8fcb6478d76396dcd50afa8f8902563b76265cd7dc90a731a1 gems/nokogiri-1.15.6-x64-mingw32.gem 19e0a5fbfa4393353fbcf6801f8f62350b6e16f43c907680c5884896858a23a2 gems/nokogiri-1.15.6-x86-linux.gem 9d464bbbaad6721a5a73181165fda67573f64ef2803c3337f6f733603e9d309a gems/nokogiri-1.15.6-x86-mingw32.gem 32d045cdb0ce097e4543a5e7a79efd13ff05d904e32f4328732149dbea3c7f15 gems/nokogiri-1.15.6-x86_64-darwin.gem 26a79da0377100d6938ae2f1b115230a8a4a4595e35b89164d8495af32091186 gems/nokogiri-1.15.6-x86_64-linux.gem 70ce799b4b3e23b358501f1da3914f70b1c7a113fb12e96a7d53558481146e08 gems/nokogiri-1.15.6.gem
1.15.5
1.15.5 / 2023-11-17
Dependencies
- [CRuby] Vendored libxml2 is updated to v2.11.6 from v2.11.5. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.6
- [CRuby] Vendored libxslt is updated to v1.1.39 from v1.1.38. For details please see https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.39
sha256 checksums:
6dfa1d9837ddb233e234d56e244560ab1bc545d3d1744478060e18691f44ded7 nokogiri-1.15.5-aarch64-linux.gem e3ac6608c6e1714bc11ff04e29a43fedf4cac2aea1bd88256cc3b927c06f347f nokogiri-1.15.5-arm-linux.gem 4d7b15d53c0397d131376a19875aa97dd1c8b404c2c03bd2171f9b77e9592d40 nokogiri-1.15.5-arm64-darwin.gem 5f87e71aaeb4f7479b94698737a0aacea77836b4805c7433b655e9565bd56cfe nokogiri-1.15.5-java.gem 7612be800909ae51e0a7cfbe1f768757857a9ff0339686814ca67d9bae271ca2 nokogiri-1.15.5-x64-mingw-ucrt.gem 28fd78d98e12005fe017db5ceccb74b2497f30582e6e26a3344200625fe46aae nokogiri-1.15.5-x64-mingw32.gem 0d1b564d7f148a6766380966bb48b23afa72c72c992c69c71d21acd4a7f5c0e4 nokogiri-1.15.5-x86-linux.gem d27dbf44c19b83e570e65b660a8a921441d1e8b6063ab1b985b516f78e0a2854 nokogiri-1.15.5-x86-mingw32.gem 10bafa54935f68aebd23235cb0fc7dfb8f6f5e52131379484771247eb3a0cc70 nokogiri-1.15.5-x86_64-darwin.gem c5d9453cc155dc15f08ac699cc1293fd994ec6cfacec48e67653aa95ee946adf nokogiri-1.15.5-x86_64-linux.gem 22448ca35dbcbdcec60dbe25ccf452b685a5436c28f21b2fec2e20917aba9100 nokogiri-1.15.5.gem
1.15.4
1.15.4 / 2023-08-11
Dependencies
- [CRuby] Vendored libxml2 is updated to v2.11.5 from v2.11.4. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.5
Fixed
- Fixed a typo in a HTML5 parser error message. [#2927] (Thanks, @anishathalye!)
- [CRuby]
ObjectSpace.memsize_ofis now safe to call onDocuments with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]
sha256 checksums:
14091a07e07045a440213f7d5ced732fa7654ae8b6c7d180137f4124c5284ab8 nokogiri-1.15.4-aarch64-linux.gem 572ddc19934d010e98821a946d89462ae66b310fecc3fe12c48b0025c2f76855 nokogiri-1.15.4-arm-linux.gem 707288e293f4fc82a008f90b7ba0180d9f803f6a239a13e424378fedf8cf93e9 nokogiri-1.15.4-arm64-darwin.gem 04745925f63af61144eccef38a703928629cf97c34dbb1c42e3def17ac77ec92 nokogiri-1.15.4-java.gem a0bfb65461a0453afed1a41b235fe84d5b9c7f4d70afd45f0dc2fdec8909faf1 nokogiri-1.15.4-x64-mingw-ucrt.gem b9d01b9202e33cc23d19b2c1fc18ff4029cdda9b4f937a4baaefd4124a2158ba nokogiri-1.15.4-x64-mingw32.gem f6ae258d7ed5f81715118282aa45486e68fd44b9747d0244a236e9ed5b94c45d nokogiri-1.15.4-x86-linux.gem 3f65b2426ece8da908bd5df5b6262ce525393f5245f8258a245bb4c3f5759b98 nokogiri-1.15.4-x86-mingw32.gem d756605c540034debd7f486ae27802e6b1b129013fd6b1bb823783ef6f2bc5d7 nokogiri-1.15.4-x86_64-darwin.gem 872ced3d72d797ed9b5a76c67141c6cee7589711358e11c73e9c53724ffd1842 nokogiri-1.15.4-x86_64-linux.gem e4a801e5ef643cc0036f0a7e93433d18818b31d48c9c287596b68e92c0173c4d nokogiri-1.15.4.gem
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 20 commits:
version bump to v1.15.6dep: update libxml to 2.11.7 (branch 1.15.x) (#3154)ci: pin to a version of bundler that works across supported rubiesdep: bump libxml to v2.11.7version bump to v1.15.5ci: add ruby version to vendored libs cache key (backport) (#3029)ci: add ruby version to vendored libs cache key (#3028)dep: update libxml to 2.11.5 and libxslt to 1.1.39 (v1.15.x) (#3025)ci: skip the BSD builds for nowdep: update libxml to 2.11.5 and libxslt to 1.1.39doc(fix): correct :nodoc:version bump to v1.15.4backport updates and fixes to v1.15.x (#2953)dep: update libxml2 to v2.11.5test: add coverage for the memsize_of bugfix memsize_node when called on xmlAttrsFix typoci: ruby-saml's downstream test suite needs minitest compatstyle: prefer Minitest to MiniTestci: update suppression stack signature
↗️ mini_portile2 (indirect, 2.8.2 → 2.8.5) · Repo · Changelog
Release Notes
2.8.5
2.8.5 / 2023-10-22
Added
- New methods
#lib_pathand#include_pathwhich point at the installed directories underports. (by @flavorjones)- Add config param for CMAKE_BUILD_TYPE, which now defaults to
Release. (#136 by @Watson1978)Experimental
Introduce experimental support for
MiniPortile#mkmf_configwhich sets up MakeMakefile variables to properly link against the recipe. This should make it easier for C extensions to package third-party libraries. (by @flavorjones)
- With no arguments, will set up just
$INCFLAGS,$libs, and$LIBPATH.- Optionally, if provided a pkg-config file, will use that config to more precisely set
$INCFLAGS,$libs,$LIBPATH, and$CFLAGS/$CXXFLAGS.- Optionally, if provided the name of a static archive, will rewrite linker flags to ensure correct linkage.
Note that the behavior may change slightly before official support is announced. Please comment on #118 if you have feedback.
2.8.4
2.8.4 / 2023-07-18
2.8.3
2.8.3 / 2023-07-18
Fixed
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 33 commits:
version bump to 2.8.5doc: update README with cmake_build_type documentationMerge pull request #137 from flavorjones/flavorjones-update-gemspecdev: gemspec has better desc and uses require_relativeMerge pull request #136 from Watson1978/release-buildAdd config param for CMAKE_BUILD_TYPECreate release binary with cmake explicitlyMerge pull request #135 from amatsuda/warningwarning: method redefined; discarding old source_directory=version bump to v2.8.5.rc2Merge pull request #134 from flavorjones/flavorjones-improve-mkmf-config-20230917introduce the "static" parameter to mkmf_configextract `lib_path` and `include_path` methodsversion bump to v2.8.5.rc1Merge pull request #133 from flavorjones/flavorjones-more-precise-pkg-configfeat: more precise implementation of mkmf_config for pkg-configversion bump to v2.9.0.rc1Merge pull request #131 from flavorjones/118-fedora-pkgconffeat: introduce MiniPortile.mkmf_configtest: add an example that uses MakeMakefile.pkg_configci: add a fedora job to the test suitetest: backfill coverage for MiniPortile#activateMerge pull request #132 from flavorjones/flavorjones-uninitialized-ivar-warningsfix: avoid uninitialized ivar warningsversion bump to v2.8.4Merge pull request #130 from stanhu/sh-cmake-cross-compile-varsversion bump to v2.8.3Remap x64 processor type to x86_64[cmake] Automatically add required cross-compilation variablesMerge pull request #129 from stanhu/sh-cmake-msysUpdate CHANGELOG.mdAdd CHANGELOG.md for CMake fixcmake: only use MSYS/NMake generators when available
↗️ racc (indirect, 1.7.1 → 1.7.3) · Repo · Changelog
Release Notes
1.7.3
What's Changed
- Exclude CRuby extension from JRuby gem by @nobu in #244
- Fix for dummy rake/extensiontask.rb at ruby test-bundled-gems by @nobu in #245
- Fix jar file path by @nobu in #246
- Bump by @nobu in #247
- Add
srcstarget to prepare to build by @nobu in #248- Make CI runnable for any push by @yui-knk in #249
- Check
rake buildon CI by @yui-knk in #250- Bump up v1.7.3.pre.1 by @yui-knk in #251
- Fix locations of
expectparam in docs by @yui-knk in #252- 'lib/racc/parser-text.rb' depends on 'lib/racc/info.rb' by @yui-knk in #253
- Bump up v1.7.3 by @yui-knk in #254
Full Changelog: v1.7.2...v1.7.3
1.7.2
What's Changed
- Update parser.rb, fixed typo by @jwillemsen in #224
- Remove leading newline from on_error exception messages. by @zenspider in #226
- Add --frozen to add frozen_string_literals to top of generated files. by @zenspider in #225
- Update development dependency to avoid ruby 2.5 failures by @flavorjones in #228
- dep: pin development dependencies, and enable dependabot for gems by @flavorjones in #229
- Clean embedded pragmas by @nobu in #230
- Embed grammar file name into generated file by @yui-knk in #231
- Bump actions/checkout from 3 to 4 by @dependabot in #232
- Fix a typo by @yui-knk in #234
- Add "Release flow" to README.rdoc by @yui-knk in #235
- Prepare 1.7.2 by @nobu in #236
- Remove install guide by setup.rb by @yui-knk in #237
- Fix tiny typos by @makenowjust in #238
- Remove old checks by @nobu in #240
- Remove MANIFEST which was used by ancient extmk.rb by @nobu in #242
- Extract Racc::VERSION from racc/info.rb at extconf.rb by @nobu in #241
- Use prototype declarations by @nobu in #243
- Bump up v1.7.2 by @yui-knk in #239
New Contributors
- @makenowjust made their first contribution in #238
Full Changelog: v1.7.1...v1.7.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 67 commits:
Merge pull request #254 from yui-knk/v1.7.3Bump up v1.7.3Merge pull request #253 from yui-knk/add_dependency'lib/racc/parser-text.rb' depends on 'lib/racc/info.rb'Merge pull request #252 from yui-knk/fix_doc_expect_paramFix locations of `expect` param in docsMerge pull request #251 from yui-knk/v1.7.3.pre.1Bump up v1.7.3.pre.1Merge pull request #250 from yui-knk/test_rake_compile_buildCheck `rake build` on CIMerge pull request #249 from yui-knk/always_run_ciMerge pull request #248 from nobu/srcsMake CI runnable for any pushAdd `srcs` target to prepare to buildMake reproducibleMerge pull request #247 from nobu/bumpUpdate test-unit-ruby-core for ruby 2.5Prepare 1.7.3Add recipe to update RACC_VERSION in Cparse.javaMerge pull request #246 from nobu/jruby-extdirFix jar file pathMerge pull request #245 from nobu/ruby-testFix for dummy rake/extensiontask.rb at ruby test-bundled-gemsMerge pull request #244 from nobu/cruby-extExclude CRuby extension from JRuby gemMerge pull request #239 from yui-knk/v1.7.2Merge pull request #243 from nobu/protoizeUse prototype declarationsBump up v1.7.2Merge pull request #241 from nobu/info_versionMerge pull request #242 from nobu/manifest[DOC] Update release flowRemove MANIFEST which was used by ancient extmk.rbExtract Racc::VERSION from racc/info.rb at extconf.rbMerge pull request #240 from nobu/old-checksRemove fallback codeRemove old checksRename CI file since it is not only Ubuntu now [ci skip]Merge pull request #238 from makenowjust/typosFix tiny typosMerge pull request #237 from yui-knk/remove_install_guide_via_setup_rbRemove install guide by setup.rbMerge pull request #236 from nobu/bump-upStart 1.7.2Update `Gem::Specification#files`Merge pull request #235 from yui-knk/readme_release-flowAdd "Release flow" to README.rdocMerge pull request #234 from yui-knk/fix_typoFix a typoMerge pull request #232 from ruby/dependabot/github_actions/actions/checkout-4Bump actions/checkout from 3 to 4Merge pull request #231 from yui-knk/embed_grammar_file_name_into_generated_fileEmbed grammar file name into generated fileMerge pull request #230 from nobu/embedded-pragmasRemove frozen_string_literal pragmas from embedded runtime filesStop littering platform-independent directory with platform-dependent bianriesMerge pull request #229 from ruby/flavorjones-pin-dev-dependenciesdep: pin development dependencies, and enable dependabot for gemsMerge pull request #228 from ruby/flavorjones-work-around-rake-compiler-ruby-2.5Update development dependency to avoid ruby 2.5 failuresMerge pull request #225 from zenspider/zenspider/frozen_string_literalsMerge pull request #226 from zenspider/zenspider/newlineRemove NEWS files since they've not been updated in quite some timeAdd --frozen to add frozen_string_literals to top of generated files.Remove leading newline from on_error exception messages.Merge pull request #224 from jwillemsen/patch-4Update parser.rb, fixed typo
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu cancel merge
- Cancels automatic merging of this PR
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)
![depfu[bot] avatar](https://avatars.githubusercontent.com/in/715?v=4 "Published by a pub.dev verified publisher"){kind=small}