Skip to content

Commit

Permalink
update CHANGELOG
Browse files Browse the repository at this point in the history
related to #1915
  • Loading branch information
flavorjones committed Aug 10, 2019
1 parent 5fe449f commit c86b5fc
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,18 @@
# Nokogiri Changelog

## 1.10.4 / 2019-08-07

### Security

#### Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is https://github.com/sparklemotion/nokogiri/issues/1915


## 1.10.3 / 2019-04-22

### Security Notes
Expand Down

0 comments on commit c86b5fc

Please sign in to comment.