Investigate Ubuntu libxml2 patches in USN-3739-1 and USN-3739-2 #1785

flavorjones · 2018-08-15T05:40:31Z

This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.

References:

Summary:

Two upstream patches, not yet available in an official libxml2 release, are candidates for patching in Nokogiri's vendored libxml2. A pull request has been created at #1786 for comments.

flavorjones · 2018-08-15T14:43:19Z

USNs

https://usn.ubuntu.com/3739-1/ which addresses:

and https://usn.ubuntu.com/3739-2/ which addresses:

CVE-2016-9318
CVE-2018-14404

Note that 3739-2 addresses a subset of 3739-1.

CVEs

CVE-2016-9318

Permalink is https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9318.html

Description:

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

Canonical rates this vulnerability as "Priority: Low"

The CVE report indicates this is the patch that addresses the vulnerability:

https://git.gnome.org/browse/libxml2/commit/?id=ad88b54f1a28a8565964a370b5d387927b633c0d

Looking at libxml upstream:

$ git tag --contains ad88b54f1a28a8565964a370b5d387927b633c0d
v2.9.8
v2.9.8-rc1

... we see this was fixed in libxml 2.9.8, which Nokogiri has vendored since v1.8.3.

CVE-2017-16932

Permalink is https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html

Description:

parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities

Canonical rates this vulnerability as "Priority: Low"

The CVE report indicates that this is the patch that addresses the vulnerability:

GNOME/libxml2@899a5d9

Looking at libxml upstream:

$ git tag --contains 899a5d9f0ed13b8e32449a08a361e0de127dd961 | cat
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
v2.9.6
v2.9.6-rc1
v2.9.7
v2.9.7-rc1
v2.9.8
v2.9.8-rc1

... we see this has been fixed since libxml 2.9.5, which Nokogiri has vendored since v1.8.1.

CVE-2017-18258

Permalink is https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18258.html

Description:

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file

Canonical rates this vulnerability as "Priority: Low"

The CVE report indicates that this is the patch that addresses the vulnerability:

https://gitlab.gnome.org/GNOME/libxml2/commit/e2a9122b8dde53d320750451e9907a7dcb2ca8bb

Looking at libxml upstream:

$ git tag --contains e2a9122b8dde53d320750451e9907a7dcb2ca8bb | cat
v2.9.6
v2.9.6-rc1
v2.9.7
v2.9.7-rc1
v2.9.8
v2.9.8-rc1

... we see this has been fixed since libxml 2.9.6, which Nokogiri has vendored since v1.8.2.

CVE-2018-14404

Permalink is https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html

Description:

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application

Canonical rates this vulnerability as "Priority: Medium"

The CVE report indicates that this is the patch that addresses the vulnerability:

https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594

Looking at libxml upstream:

$ git tag --contains a436374994c47b12d5de1b8b1d191a098fa23594 | cat

... we see that this is not yet addressed in an upstream release. This is curious.

CVE-2018-14567

Permalink is https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html

Description:

infinite loop in LZMA decompression

Canonical rates this vulnerability as "Priority: Medium"

The CVE report indicates that this is the patch that addresses the vulnerability:

https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74

Looking at libxml upstream:

$ git tag --contains 2240fbf5912054af025fb6e01e26375100275e74 | cat

... we see that this is not yet addressed in an upstream release. This is curious.

flavorjones · 2018-08-15T14:43:31Z

Conclusions

Of the five CVEs addressed in this USN, these three are already addressed by Nokogiri:

CVE-2016-9318 (since v1.8.3)
CVE-2017-16932 (since v1.8.1)
CVE-2017-18258 (since v1.8.2)

The remaining two CVEs are not yet addressed in an upstream libxml2 release. Here are the commits in question:

I guess I'll try including these patches and see what happens?

based on USN-3739-1 and -2. see related #1785.

flavorjones · 2018-08-15T14:54:49Z

I've created a PR at #1786 for comments. Please take a look and comment there.

<hr> 🚨 Your version of nokogiri has known security vulnerabilities 🚨 Advisory: CVE-2018-14404 Disclosed: October 04, 2018 URL: [https://github.com/sparklemotion/nokogiri/issues/1785](https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785) <details> <summary>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</summary> <blockquote> Nokogiri 1.8.5 has been released. This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2. Full details about the security update are available in Github Issue <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>. [<a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>]: <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a> <hr> [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2. <hr> CVE-2018-14404 Permalink: <a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14404.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html</a> Description: A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application Canonical rates this vulnerability as "Priority: Medium" <hr> CVE-2018-14567 Permalink: <a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14567.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html</a> Description: infinite loop in LZMA decompression Canonical rates this vulnerability as "Priority: Medium" </blockquote> </details> 🚨 We recommend to merge and deploy this update as soon as possible! 🚨 <hr> We've updated a dependency and here is what you need to know: | name | version specification | old version | new version | | --- | --- | --- | --- | | nokogiri | _indirect dependency_ | 1.8.4 | 1.8.5 | You should probably take a good look at the info here and the test results before merging this pull request, of course. ### What changed? #### ↗️ nokogiri (_indirect_, 1.8.4 → 1.8.5) · [Repo](https://github.com/sparklemotion/nokogiri/) · [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md) <details> <summary>Commits</summary> <a href="https://github.com/sparklemotion/nokogiri/compare/254f3414811b6d2fff8b0630efe4ce8d29778fb6...e28fa4bb2ed6844c3c63f58062d034e7b99fc90c">See the full diff on Github</a>. The new version differs by 11 commits: <ul> <li><a href="https://github.com/sparklemotion/nokogiri/commit/e28fa4bb2ed6844c3c63f58062d034e7b99fc90c"><code>version bump to v1.8.5</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/712edef8a8c7fa593e09517891d336758af42cba"><code>update changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7feb4c167a9ae1ba4e87923597ba7e7b309b1713"><code>Merge branch 'fix-1773'</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7cc6cf6a74bd718b46182f0e646b63ff0a00f728"><code>Organize imports in XmlNode.java.</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/169744261c5c023dff40de0811a826ad4d1fcc05"><code>Allow reparenting nodes to be a child of an empty document.</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7b8cd0f5b15a926e92c869b450dd6f71cdd17b61"><code>Merge pull request #1786 from sparklemotion/1785-canonical-usns</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/5bff4bb3f1692069c617f4333b2ccc5570f0f414"><code>pull in upstream libxml2 patches</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/c232226448a44bb81220d3750a6453a0aef88fb1"><code>changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/862b88f39264b7b5e223a63e3d4d0eeade4db9ff"><code>changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/b3750eb71e101287aa0e7a231232222c7213b3f3"><code>remove `-Wextra` CFLAG</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/91a63d55eb92ef0bcb141b6c094a28ef026eaf16"><code>add tests for pkg-config failure scenario</code></a></li> </ul> </details> --- [![Depfu Status](https://depfu.com/badges/e69c6c7bda228fd38f6335ea889589cb/stats.svg)](https://depfu.com/repos/joenas/preschool?project_id=4294 "See the full overview on Depfu") Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`. <details><summary>All Depfu comment commands</summary> <blockquote><dl> <dt>@depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd> <dt>@depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd> <dt>@depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd> <dt>@depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd> </dl></blockquote> Go to the <a href="https://depfu.com/repos/joenas/preschool?project_id=4294">Depfu Dashboard</a> to see the state of your dependencies and to customize how Depfu works. </details>

sparklemotion/nokogiri#1785

<hr> 🚨 Your version of nokogiri has known security vulnerabilities 🚨 Advisory: CVE-2018-14404 Disclosed: October 04, 2018 URL: [https://github.com/sparklemotion/nokogiri/issues/1785](https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785) <details> <summary>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</summary> <blockquote> Nokogiri 1.8.5 has been released. This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2. Full details about the security update are available in Github Issue <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>. [<a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>]: <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a> <hr> [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2. <hr> CVE-2018-14404 Permalink: <a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14404.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html</a> Description: A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application Canonical rates this vulnerability as "Priority: Medium" <hr> CVE-2018-14567 Permalink: <a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14567.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html</a> Description: infinite loop in LZMA decompression Canonical rates this vulnerability as "Priority: Medium" </blockquote> </details> 🚨 We recommend to merge and deploy this update as soon as possible! 🚨 <hr> We've updated a dependency and here is what you need to know: | name | version specification | old version | new version | | --- | --- | --- | --- | | nokogiri | _indirect dependency_ | 1.8.4 | 1.8.5 | You should probably take a good look at the info here and the test results before merging this pull request, of course. ### What changed? #### ↗️ nokogiri (_indirect_, 1.8.4 → 1.8.5) · [Repo](https://github.com/sparklemotion/nokogiri/) · [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md) <details> <summary>Commits</summary> <a href="https://github.com/sparklemotion/nokogiri/compare/254f3414811b6d2fff8b0630efe4ce8d29778fb6...e28fa4bb2ed6844c3c63f58062d034e7b99fc90c">See the full diff on Github</a>. The new version differs by 11 commits: <ul> <li><a href="https://github.com/sparklemotion/nokogiri/commit/e28fa4bb2ed6844c3c63f58062d034e7b99fc90c"><code>version bump to v1.8.5</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/712edef8a8c7fa593e09517891d336758af42cba"><code>update changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7feb4c167a9ae1ba4e87923597ba7e7b309b1713"><code>Merge branch 'fix-1773'</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7cc6cf6a74bd718b46182f0e646b63ff0a00f728"><code>Organize imports in XmlNode.java.</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/169744261c5c023dff40de0811a826ad4d1fcc05"><code>Allow reparenting nodes to be a child of an empty document.</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7b8cd0f5b15a926e92c869b450dd6f71cdd17b61"><code>Merge pull request #1786 from sparklemotion/1785-canonical-usns</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/5bff4bb3f1692069c617f4333b2ccc5570f0f414"><code>pull in upstream libxml2 patches</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/c232226448a44bb81220d3750a6453a0aef88fb1"><code>changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/862b88f39264b7b5e223a63e3d4d0eeade4db9ff"><code>changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/b3750eb71e101287aa0e7a231232222c7213b3f3"><code>remove `-Wextra` CFLAG</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/91a63d55eb92ef0bcb141b6c094a28ef026eaf16"><code>add tests for pkg-config failure scenario</code></a></li> </ul> </details> --- ![Depfu Status](https://depfu.com/badges/0a723c09b68149a932bdb420ef5f5e4e/stats.svg) [Depfu](https://depfu.com) will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`. <details><summary>All Depfu comment commands</summary> <blockquote><dl> <dt>@depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd> <dt>@depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd> <dt>@depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd> <dt>@depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd> </dl></blockquote> </details>

Bundler-audit report the following security advisory for nokogiri. This PR updates nokogiri to the recommended version. Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5

see https://circleci.com/gh/railslink/railslink/138 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5

Resolves CVE described here: sparklemotion/nokogiri#1785

ruby-advisory-db: 323 advisories Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2

Updated 'deface' to update 'nokogiri' dependency gem after vulnerability checks with 'audit': Nokogiri gem, via libxml2, is affected by multiple vulnerabilities. sparklemotion/nokogiri#1785

Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Name: sprockets Version: 2.12.4 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets

Upstream changes (from CHANGELOG.md): # 1.8.5 / 2018-10-04 ## Security Notes [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in [#1785] (sparklemotion/nokogiri#1785). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2. ## Bug fixes * [MRI] Fix regression in installation when building against system libraries, where some systems would not be able to find libxml2 or libxslt when present. (Regression introduced in v1.8.3.) [#1722] * [JRuby] Fix node reparenting when the destination doc is empty. [#1773]

As reported by `bundler-audit`: Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5

flavorjones/loofah#154 and sparklemotion/nokogiri#1785

- Fix some vulnerabilities ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 ``` - Fix factory_bot issues - Closes thoughtbot#1225

- Fix some vulnerabilities ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 ``` - Fix factory_bot issues - Closes #1225

The vulnerability message is below. In order to upgrade activejob, I had to upgrade Rails to version 5.1.6.1, which touched quite a few other gems. Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: rack Version: 2.0.3 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8

Address a couple of CVEs (as reported by `bundler-audit`). Name: ffi Version: 1.9.23 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2

$ bundle exec bundle-audit check Name: actionview Version: 5.2.1 Advisory: CVE-2019-5419 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11 Name: actionview Version: 5.2.1 Advisory: CVE-2019-5418 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3 Name: activejob Version: 5.2.1 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activestorage Version: 5.2.1 Advisory: CVE-2018-16477 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg Title: Bypass vulnerability in Active Storage Solution: upgrade to >= 5.2.1.1 Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: railties Version: 5.2.1 Advisory: CVE-2019-5420 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw Title: Possible Remote Code Execution Exploit in Rails Development Mode Solution: upgrade to >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3 Vulnerabilities found!

- Fix some vulnerabilities ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 ``` - Fix factory_bot issues - Closes #1225

Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8166 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2020-15169 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-8167 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5418 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-5267 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5419 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activesupport Version: 5.1.4 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Medium URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2019-15587 Criticality: Medium URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-26247 Criticality: Low URL: GHSA-vr8q-g5c7-m54m Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Solution: upgrade to >= 1.11.0.rc4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-7595 Criticality: High URL: sparklemotion/nokogiri#1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-5477 Criticality: Critical URL: sparklemotion/nokogiri#1915 Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Solution: upgrade to >= 1.10.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: rack Version: 2.0.8 Advisory: CVE-2020-8161 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA Title: Directory traversal in Rack::Directory app bundled with Rack Solution: upgrade to ~> 2.1.3, >= 2.2.0 Name: rack Version: 2.0.8 Advisory: CVE-2020-8184 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to >= 2.12.5, < 3.0.0, >= 3.7.2, < 4.0.0, >= 4.0.0.beta8

Numerous CVEs found: Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6

…VEs) It found the following 53 vulnerabilities: Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22885 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI Title: Possible Information Disclosure / Unintended Method Execution in Action Pack Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8166 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22904 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ Title: Possible DoS Vulnerability in Action Controller Token Authentication Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2022-23633 Criticality: High URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ Title: Possible exposure of information vulnerability in Action Pack Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-15169 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-5267 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-8167 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5419 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5418 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activerecord Version: 5.1.4 Advisory: CVE-2021-22880 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1 Name: activesupport Version: 5.1.4 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: addressable Version: 2.5.2 Advisory: CVE-2021-32740 Criticality: High URL: GHSA-jxhc-q857-3j6g Title: Regular Expression Denial of Service in Addressable templates Solution: upgrade to >= 2.8.0 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21288 Criticality: Medium URL: GHSA-fwcm-636p-68r5 Title: Server-side request forgery in CarrierWave Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21305 Criticality: High URL: GHSA-cf3w-g86h-35x4 Title: Code Injection vulnerability in CarrierWave::RMagick Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2020-11023 Criticality: Medium URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released Title: Potential XSS vulnerability in jQuery Solution: upgrade to >= 4.4.0 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 Name: jquery-ui-rails Version: 5.0.5 Advisory: CVE-2016-7103 Criticality: Medium URL: jquery/api.jqueryui.com#281 Title: XSS Vulnerability on closeText option of Dialog jQuery UI Solution: upgrade to >= 6.0.0 Name: kaminari Version: 1.1.1 Advisory: CVE-2020-11082 Criticality: Medium URL: GHSA-r5jw-62xg-j433 Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter Solution: upgrade to >= 1.2.1 Name: loofah Version: 2.1.1 Advisory: CVE-2019-15587 Criticality: Medium URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Medium URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Medium URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: mini_magick Version: 4.8.0 Advisory: CVE-2019-13574 Criticality: High URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/ Title: Remote command execution via filename Solution: upgrade to >= 4.9.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-5477 Criticality: Critical URL: sparklemotion/nokogiri#1915 Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Solution: upgrade to >= 1.10.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-41098 Criticality: High URL: GHSA-2rr5-8q37-2w7h Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Solution: upgrade to >= 1.12.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: High URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24839 Criticality: High URL: GHSA-9849-p7jc-9rmv Title: Denial of Service (DoS) in Nokogiri on JRuby Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-23437 Criticality: Medium URL: GHSA-xxx9-3xcr-gjj3 Title: XML Injection in Xerces Java affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-30560 Criticality: High URL: GHSA-fq42-c5rg-92c2 Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Solution: upgrade to >= 1.13.2 Name: nokogiri Version: 1.8.1 Advisory: GHSA-7rrm-v45f-jp64 Criticality: High URL: GHSA-7rrm-v45f-jp64 Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Solution: upgrade to >= 1.11.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-25032 Criticality: High URL: GHSA-v6gp-9mmm-c6p5 Title: Out-of-bounds Write in zlib affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-7595 Criticality: High URL: sparklemotion/nokogiri#1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24836 Criticality: High URL: GHSA-crjr-9rc5-ghw8 Title: Inefficient Regular Expression Complexity in Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-26247 Criticality: Low URL: GHSA-vr8q-g5c7-m54m Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Solution: upgrade to >= 1.11.0.rc4 Name: puma Version: 4.3.3 Advisory: CVE-2021-29509 Criticality: High URL: GHSA-q28m-8xjw-8vr5 Title: Keepalive Connections Causing Denial Of Service in puma Solution: upgrade to ~> 4.3.8, >= 5.3.1 Name: puma Version: 4.3.3 Advisory: CVE-2022-24790 Criticality: Critical URL: GHSA-h99w-9q5r-gjq9 Title: HTTP Request Smuggling in puma Solution: upgrade to ~> 4.3.12, >= 5.6.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11076 Criticality: High URL: GHSA-x7jg-6pwg-fx5h Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.5, >= 4.3.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11077 Criticality: Medium URL: GHSA-w64w-qqph-5gxm Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.6, >= 4.3.5 Name: puma Version: 4.3.3 Advisory: CVE-2022-23634 Criticality: High URL: GHSA-rmj8-8hhh-gv5h Title: Information Exposure with Puma when used with Rails Solution: upgrade to ~> 4.3.11, >= 5.6.2 Name: puma Version: 4.3.3 Advisory: CVE-2021-41136 Criticality: Low URL: GHSA-48w2-rm65-62xx Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Solution: upgrade to ~> 4.3.9, >= 5.5.1 Name: rack Version: 2.2.2 Advisory: CVE-2020-8184 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: rails_admin Version: 1.2.0 Advisory: CVE-2020-36190 Criticality: Medium URL: railsadminteam/rails_admin@d72090e Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to ~> 1.4.3, >= 2.0.2 Name: rails_admin Version: 1.2.0 Advisory: CVE-2017-12098 Criticality: Medium URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to >= 1.3.0 Name: rake Version: 12.3.0 Advisory: CVE-2020-8130 Criticality: High URL: GHSA-jppv-gw3r-w3q8 Title: OS Command Injection in Rake Solution: upgrade to >= 12.3.3 Name: redcarpet Version: 3.4.0 Advisory: CVE-2020-26298 Criticality: Medium URL: vmg/redcarpet@a699c82 Title: Injection/XSS in Redcarpet Solution: upgrade to >= 3.5.1 Name: websocket-extensions Version: 0.1.3 Advisory: CVE-2020-7663 Criticality: High URL: GHSA-g6wq-qcwm-j5g2 Title: Regular Expression Denial of Service in websocket-extensions (RubyGem) Solution: upgrade to >= 0.1.5

- Fix some vulnerabilities ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 ``` - Fix factory_bot issues - Closes #1225

flavorjones added topic/security libxml2-upstream labels Aug 15, 2018

flavorjones added this to the 1.8.5 milestone Aug 15, 2018

flavorjones added a commit that referenced this issue Aug 15, 2018

pull in upstream libxml2 patches

5bff4bb

based on USN-3739-1 and -2. see related #1785.

flavorjones mentioned this issue Aug 15, 2018

pull in upstream libxml2 patches #1786

Merged

flavorjones removed this from the 1.8.5 milestone Aug 15, 2018

flavorjones closed this as completed Aug 15, 2018

flavorjones added this to the 1.8.5 milestone Oct 4, 2018

gregmolnar mentioned this issue Oct 5, 2018

upgrade nokogiri rails/rails#34088

Merged

roback added a commit to twingly/feedjira.herokuapp.com that referenced this issue Oct 5, 2018

Update nokogiri (CVE-2018-14404)

a5f2d10

sparklemotion/nokogiri#1785

roback added a commit to twingly/feedbag.herokuapp.com that referenced this issue Oct 5, 2018

Update nokogiri (CVE-2018-14404)

172023b

sparklemotion/nokogiri#1785

SViccari mentioned this issue Oct 5, 2018

Address security warning for nokogiri bostonrb/bostonrubygroup.com#43

Merged

phallstrom mentioned this issue Oct 7, 2018

Upgrade nokogiri gem to 1.8.5 to resolve CVE-2018-14404 railslink/railslink#49

Merged

mjankowski added a commit to mjankowski/rubygems.org that referenced this issue Oct 11, 2018

Update nokogiri to version 1.8.5

8d2a625

Resolves CVE described here: sparklemotion/nokogiri#1785

mjankowski mentioned this issue Oct 11, 2018

Update nokogiri to version 1.8.5 rubygems/rubygems.org#1799

Merged

AdrianCann mentioned this issue Oct 14, 2018

Update gems with security vulnerabilities sophomoric/secret#91

Merged

This was referenced Oct 18, 2018

Update 'deface' dependency version solidusio-contrib/solidus_static_content#21

Closed

Update 'deface' dependency version nebulab/solidus_static_content-1#1

Open

ur5us mentioned this issue Oct 18, 2018

Upgrade gems due to a security bug fix in Nokigiri lobsters/lobsters#577

Closed

rimenes mentioned this issue Oct 19, 2018

Security update for compromised gems. hugopl/reviewit#130

Merged

rimenes mentioned this issue Oct 23, 2018

Gem security updates. DroptuneHQ/droptune-og#70

Merged

mberrueta mentioned this issue Nov 2, 2018

Update nokogiri to 1.8.5 ~ CVE-2018-14404 rails/rails-html-sanitizer#79

Closed

frederikspang pushed a commit to frederikspang/rails-html-sanitizer that referenced this issue Nov 2, 2018

Addresses Security Issues in loofah and nokogiri

96c346a

flavorjones/loofah#154 and sparklemotion/nokogiri#1785

frederikspang mentioned this issue Nov 2, 2018

Addresses Security Issues in loofah and nokogiri rails/rails-html-sanitizer#80

Closed

mauromorales mentioned this issue Nov 7, 2018

Bump gems for security vulnerabilities cornelius/yes_it_shipped#11

Merged

johnsyweb mentioned this issue Dec 20, 2018

Automated Bundle Update johnsyweb/johnsyweb.github.io#8

Merged

flavorjones added the vendored/libxml2 label Jan 5, 2019

mapopa added a commit to mapopa/backup that referenced this issue Jan 22, 2019

update to nokogiri 1.8.5 sparklemotion/nokogiri#1785

f43196e

nickshatilo mentioned this issue Apr 26, 2019

Update nokogiri to 1.8.5 ~ CVE-2018-14404 Mange/roadie#161

Merged

This was referenced Mar 14, 2021

Bump nokogiri from 1.8.2 to 1.8.5 figure0/docs-travis-ci-com#1

Open

Bump nokogiri from 1.8.4 to 1.8.5 Whoerr/flight-manual.atom.io#6

Open

github-actions bot mentioned this issue Jun 3, 2021

Security Alert Test lazy-actions/gitrivy#99

Closed

github-actions bot mentioned this issue Dec 16, 2022

not relevant gisaia/ARLAS-wui#581

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Investigate Ubuntu libxml2 patches in USN-3739-1 and USN-3739-2 #1785

Investigate Ubuntu libxml2 patches in USN-3739-1 and USN-3739-2 #1785

flavorjones commented Aug 15, 2018 •

edited

Loading

flavorjones commented Aug 15, 2018

flavorjones commented Aug 15, 2018

flavorjones commented Aug 15, 2018

Investigate Ubuntu libxml2 patches in USN-3739-1 and USN-3739-2 #1785

Investigate Ubuntu libxml2 patches in USN-3739-1 and USN-3739-2 #1785

Comments

flavorjones commented Aug 15, 2018 • edited Loading

flavorjones commented Aug 15, 2018

USNs

CVEs

CVE-2016-9318

CVE-2017-16932

CVE-2017-18258

CVE-2018-14404

CVE-2018-14567

flavorjones commented Aug 15, 2018

Conclusions

flavorjones commented Aug 15, 2018

flavorjones commented Aug 15, 2018 •

edited

Loading