evaluate upstream libxslt patches mentioned in USN-3271-1 #1634
Labels
Comments
|
To focus the decision, there are only two patches in this set that were not in libxslt 1.1.29; the patch for CVE-2017-5029 (medium) and for CVE-2016-4738 (medium). I'd like to port these to Nokogiri and cut v1.7.2 as a security release. I'll do this in the next few days unless I hear compelling objections here in the next 24 hours. |
flavorjones
added a commit
that referenced
this issue
May 9, 2017
to address CVE-2017-5029 and CVE-2016-4738. see #1634 for more information.
|
3c8d673 on the v1.7.x branch is green:
shipping it now. |
|
v1.7.2 has been released with these patches. |
flavorjones
added a commit
that referenced
this issue
May 9, 2017
to address CVE-2017-5029 and CVE-2016-4738. see #1634 for more information.
|
And merged into master. Closing. |
oliverguenther
added a commit
to opf/openproject
that referenced
this issue
May 10, 2017
infertux
added a commit
to buckybox/webstore
that referenced
this issue
May 10, 2017
infertux
added a commit
to buckybox/core
that referenced
this issue
May 10, 2017
dreamfall
added a commit
to bitzesty/qae
that referenced
this issue
May 15, 2017
amatriain
added a commit
to amatriain/feedbunch
that referenced
this issue
May 15, 2017
This fixes a vulnerability, for more details see: sparklemotion/nokogiri#1634
jsugarman
added a commit
to ministryofjustice/peoplefinder
that referenced
this issue
May 17, 2017
A security alert was raised by gemnasium: Sources: sparklemotion/nokogiri#1634 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
andrecedik
added a commit
to shipcloud/shipcloud-developer-portal
that referenced
this issue
May 22, 2017
This fixes a [security issue with nokogiri v1.7.1](sparklemotion/nokogiri#1634)
jsonn
pushed a commit
to jsonn/pkgsrc
that referenced
this issue
Jun 5, 2017
# 1.8.0 / 2017-06-04 ## Backwards incompatibilities This release ends support for Ruby 2.1 on Windows in the `x86-mingw32` and `x64-mingw32` platform gems (containing pre-compiled DLLs). Official support ended for Ruby 2.1 on 2017-04-01. Please note that this deprecation note only applies to the precompiled Windows gems. Ruby 2.1 continues to be supported (for now) in the default gem when compiled on installation. ## Dependencies * [Windows] Upgrade iconv from 1.14 to 1.15 (unless --use-system-libraries) * [Windows] Upgrade zlib from 1.2.8 to 1.2.11 (unless --use-system-libraries) * [MRI] Upgrade rake-compiler dependency from 0.9.2 to 1.0.3 * [MRI] Upgrade mini-portile2 dependency from `~> 2.1.0` to `~> 2.2.0` ## Compatibility notes * [JRuby] Removed support for `jruby --1.8` code paths. [#1607] (Thanks, @kares!) * [MRI Windows] Retrieve zlib source from http://zlib.net/fossils to avoid deprecation issues going forward. See #1632 for details around this problem. ## Features * NodeSet#clone is not an alias for NodeSet#dup [#1503] (Thanks, @stephankaag!) * Allow Processing Instructions and Comments as children of a document root. [#1033] (Thanks, @windwiny!) * [MRI] PushParser#replace_entities and #replace_entities= will control whether entities are replaced or not. [#1017] (Thanks, @spraints!) * [MRI] SyntaxError#to_s now includes line number, column number, and log level if made available by the parser. [#1304, #1637] (Thanks, @spk and @ccarruitero!) * [MRI] Cross-built Windows gems now support Ruby 2.4 * [MRI] Support for frozen string literals. [#1413] * [MRI] Support for installing Nokogiri on a machine in FIPS-enabled mode [#1544] * [MRI] Vendored libraries are verified with SHA-256 hashes (formerly some MD5 hashes were used) [#1544] * [JRuby] (performance) remove unnecessary synchronization of class-cache [#1563] (Thanks, @kares!) * [JRuby] (performance) remove unnecessary cloning of objects in XPath searches [#1563] (Thanks, @kares!) * [JRuby] (performance) more performance improvements, particularly in XPath, Reader, XmlNode, and XmlNodeSet [#1597] (Thanks, @kares!) ## Bugs * HTML::SAX::Parser#parse_io now correctly parses HTML and not XML [#1577] (Thanks for the test case, @gregors!) * Support installation on systems with a `lib64` site config. [#1562] * [MRI] on OpenBSD, do not require gcc if using system libraries [#1515] (Thanks, @jeremyevans!) * [MRI] XML::Attr.new checks type of Document arg to prevent segfaults. [#1477] * [MRI] Prefer xmlCharStrdup (and friends) to strdup (and friends), which can cause problems on some platforms. [#1517] (Thanks, @jeremy!) * [JRuby] correctly append a text node before another text node [#1318] (Thanks, @jkraemer!) * [JRuby] custom xpath functions returning an integer now work correctly [#1595] (Thanks, @kares!) * [JRuby] serializing (`#to_html`, `#to_s`, et al) a document with explicit encoding now works correctly. [#1281, #1440] (Thanks, @kares!) * [JRuby] XML::Reader now returns parse errors [#1586] (Thanks, @kares!) * [JRuby] Empty NodeSets are now decorated properly. [#1319] (Thanks, @kares!) * [JRuby] Merged nodes no longer results in Java exceptions during XPath queries. [#1320] (Thanks, @kares!) # 1.7.2 / 2017-05-09 ## Security Notes [MRI] Upstream libxslt patches are applied to the vendored libxslt 1.1.29 which address CVE-2017-5029 and CVE-2016-4738. For more information: * sparklemotion/nokogiri#1634 * http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html * http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
zammad-sync
pushed a commit
to zammad/zammad
that referenced
this issue
Jun 12, 2017
zammad-sync
pushed a commit
to zammad/zammad
that referenced
this issue
Jun 13, 2017
zammad-sync
pushed a commit
to zammad/zammad
that referenced
this issue
Jun 13, 2017
This was referenced Jun 15, 2017
florrain
pushed a commit
to dandemeyere/responsys-api
that referenced
this issue
Jun 19, 2017
* Update Nokogiri to v1.8.0 Addresses security vulnerability: - [nokogiri issue 1615](sparklemotion/nokogiri#1615) - [nokogiri issue 1634](sparklemotion/nokogiri#1634)
tmtmtmtm
added a commit
to everypolitician/viewer-sinatra
that referenced
this issue
Jul 6, 2017
The currently installed version has a security advisory: ``` Updated ruby-advisory-db ruby-advisory-db: 287 advisories Name: nokogiri Version: 1.7.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 ```
AdrianCann
added a commit
to sophomoric/secret
that referenced
this issue
Jul 22, 2017
* Travis is failing because ruby-advisory-db warning say nokogiri is out of date and has vulnerabilities. sparklemotion/nokogiri#1615 sparklemotion/nokogiri#1634 sparklemotion/nokogiri#1473 * Also updated capybara-webkit which uses nokogiri
semipermeable
pushed a commit
to solanolabs/nokogiri
that referenced
this issue
Aug 30, 2017
to address CVE-2017-5029 and CVE-2016-4738. see sparklemotion#1634 for more information. Conflicts: CHANGELOG.rdoc
AdrianCann
added a commit
to sophomoric/maddie
that referenced
this issue
Oct 1, 2017
* Maybe I should write a script to automatically update nokogiri :) ruby-advisory-db: 288 advisories Name: nokogiri Version: 1.7.0.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.7.0.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Name: nokogiri Version: 1.7.0.1 Advisory: CVE-2017-9050 Criticality: Unknown URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1
michael-harrison
pushed a commit
to michael-harrison/savon
that referenced
this issue
Dec 6, 2017
This was referenced Dec 6, 2017
michael-harrison
pushed a commit
to michael-harrison/exlibris-primo
that referenced
this issue
Dec 6, 2017
…otion/nokogiri#1673) and [CVE-2017-5029](sparklemotion/nokogiri#1634) Added branch on my fork of savon until PR savonrb/savon#848 has been merged
pcai
pushed a commit
to savonrb/savon
that referenced
this issue
Dec 7, 2017
havenwood
added a commit
to havenwood/connect-api-examples
that referenced
this issue
Dec 7, 2017
Name: actionview Version: 4.2.6 Advisory: CVE-2016-6316 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk Title: Possible XSS Vulnerability in Action View Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1 Name: activerecord Version: 4.2.6 Advisory: CVE-2016-6317 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s Title: Unsafe Query Generation Risk in Active Record Solution: upgrade to >= 4.2.7.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2017-9050 URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2016-4658 URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2015-8806 URL: sparklemotion/nokogiri#1473 Title: Denial of service or RCE from libxml2 and libxslt Solution: upgrade to >= 1.6.8 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2017-5029 URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2
juchem
added a commit
to airbnb/synapse
that referenced
this issue
Apr 23, 2018
Note that this upgrade changes minimum required ruby version from 1.9.3-p551 to 2.1.8. ``` $ bundle audit check Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Vulnerabilities found! ```
juchem
added a commit
to airbnb/synapse
that referenced
this issue
Apr 23, 2018
Note that this upgrade changes minimum required ruby version from 1.9.3-p551 to 2.1.8. ``` $ bundle audit check Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Vulnerabilities found! ```
dominicsayers
added a commit
to dominicsayers/url_canonicalize
that referenced
this issue
Jun 30, 2018
Earlier versions of Nokogiri have security issues as follows: [CVE-2016-4658](sparklemotion/nokogiri#1615) [CVE-2017-5029](sparklemotion/nokogiri#1634) [CVE-2017-9050](sparklemotion/nokogiri#1673) [CVE-2017-16932](sparklemotion/nokogiri#1714) [CVE-2017-15412](sparklemotion/nokogiri#1714)
dominicsayers
added a commit
to dominicsayers/url_canonicalize
that referenced
this issue
Jun 30, 2018
Earlier versions of Nokogiri have security issues as follows: [CVE-2016-4658](sparklemotion/nokogiri#1615) [CVE-2017-5029](sparklemotion/nokogiri#1634) [CVE-2017-9050](sparklemotion/nokogiri#1673) [CVE-2017-16932](sparklemotion/nokogiri#1714) [CVE-2017-15412](sparklemotion/nokogiri#1714)
dominicsayers
added a commit
to dominicsayers/url_canonicalize
that referenced
this issue
Jun 30, 2018
Earlier versions of Nokogiri have security issues as follows: [CVE-2016-4658](sparklemotion/nokogiri#1615) [CVE-2017-5029](sparklemotion/nokogiri#1634) [CVE-2017-9050](sparklemotion/nokogiri#1673) [CVE-2017-16932](sparklemotion/nokogiri#1714) [CVE-2017-15412](sparklemotion/nokogiri#1714)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue is to drive investigation and potential action around a set of upstream libxslt patches that Canonical judged valuable enough to port to their distributions.
USN-3271-1
"libxslt vulnerabilities"
https://www.ubuntu.com/usn/usn-3271-1/
CVE-2017-5029
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
priority: medium
The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in
Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux
and 57.0.2987.108 for Android, lacked a check for integer overflow during a
size calculation, which allowed a remote attacker to perform an out of
bounds memory write via a crafted HTML page.
patches:
CVE-2016-1683
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1683.html
priority: medium
numbers.c in libxslt before 1.1.29, as used in Google Chrome before
51.0.2704.63, mishandles namespace nodes, which allows remote attackers to
cause a denial of service (out-of-bounds heap memory access) or possibly
have unspecified other impact via a crafted document.
patches:
CVE-2016-1841
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1841.html
priority: medium
libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS
before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via a
crafted web site.
patches:
CVE-2015-7995
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7995.html
priority: low
The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not
check if the parent node is an element, which allows attackers to cause a
denial of service via a crafted XML file, related to a "type confusion"
issue.
patches:
CVE-2016-1684
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1684.html
priority: medium
numbers.c in libxslt before 1.1.29, as used in Google Chrome before
51.0.2704.63, mishandles the i format token for xsl:number data, which
allows remote attackers to cause a denial of service (integer overflow or
resource consumption) or possibly have unspecified other impact via a
crafted document.
patches:
CVE-2016-4738
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
priority: medium
libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
watchOS before 3 allows remote attackers to execute arbitrary code or cause
a denial of service (memory corruption) via a crafted web site.
patches:
The text was updated successfully, but these errors were encountered: