[Security] Bump nokogiri from 1.6.1 to 1.11.1

[dependabot-preview]

Bumps nokogiri from 1.6.1 to 1.11.1. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 nokogiri version 1.7.2 has been released.

This is a security update based on 1.7.1, addressing two upstream libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.

These patches only apply when using Nokogiri's vendored libxslt package. If you're using your distro's system libraries, there's no need to upgrade from 1.7.0.1 or 1.7.1 at this time.

Full details are available at the github issue linked to in the changelog below.

---

1.7.2 / 2017-05-09

Security Notes

[MRI] Upstream libxslt patches are applied to the vendored libxslt

Patched versions: >= 1.7.2 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml 2.9.5.

It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663)

It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375)

It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376)

Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially

Patched versions: >= 1.8.1 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxml, is affected by DoS vulnerabilities The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6.

It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.

Patched versions: >= 1.8.2 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS Nokogiri Gem for JRuby contains a flaw that is triggered when handling a root element in an XML document. This may allow a remote attacker to cause a consumption of memory resources.

Patched versions: >= 1.6.3 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Denial of service or RCE from libxml2 and libxslt Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.

For more information, the Ubuntu Security Notice is a good start: http://www.ubuntu.com/usn/usn-2994-1/

Patched versions: >= 1.6.8 Unaffected versions: < 1.6.0

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxml, is affected by DoS vulnerabilities The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5.

Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.

Patched versions: >= 1.8.1 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri Command Injection Vulnerability A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.

Patched versions: >= 1.10.4 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.

Patched versions: >= 1.10.4 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Nokogiri version 1.6.7.2 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE:

CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM)

Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.

libxml2 could be made to crash if it opened a specially crafted file. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.

Patched versions: >= 1.6.7.2 Unaffected versions: < 1.6.0

Sourced from The Ruby Advisory Database.

Nokogiri gem contains several vulnerabilities in libxml2 Nokogiri version 1.6.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:

CVE-2015-5312 CVSS v2 Base Score: 7.1 (HIGH) The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

CVE-2015-7497 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.

CVE-2015-7498 CVSS v2 Base Score: 5.0 (MEDIUM)

Patched versions: >= 1.6.7.1 Unaffected versions: < 1.6.0

Sourced from The Ruby Advisory Database.

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:

CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.

CVE-2016-5131 CVSS v3 Base Score: 8.8 (HIGH) Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.

Patched versions: >= 1.7.1 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Several vulnerabilities were discovered in the libxml2 and libxslt libraries that the Nokogiri gem depends on.

CVE-2015-1819 A denial of service flaw was found in the way libxml2 parsed XML documents. This flaw could cause an application that uses libxml2 to use an excessive amount of memory.

CVE-2015-7941 libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted specially XML data.

CVE-2015-7942 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data.

CVE-2015-7995

Patched versions: ~> 1.6.6.4; >= 1.6.7.rc4 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Revert libxml2 behavior in Nokogiri gem that could cause XSS [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:

GNOME/libxml2@960f0e2

and more information is available about this commit and its impact here:

flavorjones/loofah#144

This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities.

If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here:

https://bugzilla.gnome.org/show_bug.cgi?id=769760

Patched versions: >= 1.8.3 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Nokogiri v1.10.5 has been released.

This is a security release. It addresses three CVEs in upstream libxml2, for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses these vulnerabilities.

Full details about the security update are available in Github Issue [#1943] sparklemotion/nokogiri#1943.

---

CVE-2019-13117

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html

Patched versions: >= 1.10.5 Unaffected versions: none

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects nokogiri xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched it's vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.

Affected versions: < 1.10.8

Sourced from The Ruby Advisory Database.

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8

CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.

Patched versions: >= 1.10.8 Unaffected versions: none

Sourced from The GitHub Security Advisory Database.

XXE in Nokogiri

Severity

Nokogiri maintainers have evaluated this as Low Severity (CVSS3 2.6).

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

Affected versions: <= 1.10.10

Sourced from The Ruby Advisory Database.

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

Patched versions: >= 1.11.0.rc4 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Nokogiri 1.8.5 has been released.

This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

Full details about the security update are available in Github Issue #1785. [#1785]: sparklemotion/nokogiri#1785

---

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

Patched versions: >= 1.8.5 Unaffected versions: none

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects nokogiri The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.

Affected versions: < 1.8.2

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxslt, is affected by improper access control vulnerability Nokogiri v1.10.3 has been released.

This is a security release. It addresses a CVE in upstream libxslt rated as "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More details are available below.

If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

Full details about the security update are available in Github Issue [#1892] sparklemotion/nokogiri#1892.

---

CVE-2019-11068

Permalinks are:

Patched versions: >= 1.10.3 Unaffected versions: none

Release notes

Sourced from nokogiri's releases.

v1.11.1 / 2021-01-06

Fixed

• [CRuby] If libxml-ruby is loaded before nokogiri, the SAX and Push parsers no longer call libxml-ruby's handlers. Instead, they defensively override the libxml2 global handler before parsing. [#2168]

SHA-256 Checksums of published gems

a41091292992cb99be1b53927e1de4abe5912742ded956b0ba3383ce4f29711c  nokogiri-1.11.1-arm64-darwin.gem
d44fccb8475394eb71f29dfa7bb3ac32ee50795972c4557ffe54122ce486479d  nokogiri-1.11.1-java.gem
f760285e3db732ee0d6e06370f89407f656d5181a55329271760e82658b4c3fc  nokogiri-1.11.1-x64-mingw32.gem
dd48343bc4628936d371ba7256c4f74513b6fa642e553ad7401ce0d9b8d26e1f  nokogiri-1.11.1-x86-linux.gem
7f49138821d714fe2c5d040dda4af24199ae207960bf6aad4a61483f896bb046  nokogiri-1.11.1-x86-mingw32.gem
5c26111f7f26831508cc5234e273afd93f43fbbfd0dcae5394490038b88d28e7  nokogiri-1.11.1-x86_64-darwin.gem
c3617c0680af1dd9fda5c0fd7d72a0da68b422c0c0b4cebcd7c45ff5082ea6d2  nokogiri-1.11.1-x86_64-linux.gem
42c2a54dd3ef03ef2543177bee3b5308313214e99f0d1aa85f984324329e5caa  nokogiri-1.11.1.gem

v1.11.0 / 2021-01-03

Notes

Faster, more reliable installation: Native Gems for Linux and OSX/Darwin

"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in much faster installation and more reliable installation, which as you probably know are the biggest headaches for Nokogiri users.

We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:

• Linux: x86-linux and x86_64-linux -- including musl platforms like alpine
• OSX/Darwin: x86_64-darwin and arm64-darwin

We'd appreciate your thoughts and feedback on this work at #2075.

Dependencies

Ruby

This release introduces support for Ruby 2.7 and 3.0 in the precompiled native gems.

This release ends support for:

• Ruby 2.3, for which official support ended on 2019-03-31 [#1886] (Thanks @ashmaroli!)
• Ruby 2.4, for which official support ended on 2020-04-05
• JRuby 9.1, which is the Ruby 2.3-compatible release.

Gems

Changelog

Sourced from nokogiri's changelog.

v1.11.1 / 2021-01-06

Fixed

• [CRuby] If libxml-ruby is loaded before nokogiri, the SAX and Push parsers no longer call libxml-ruby's handlers. Instead, they defensively override the libxml2 global handler before parsing. [#2168]

v1.11.0 / 2021-01-03

Notes

Faster, more reliable installation: Native Gems for Linux and OSX/Darwin

"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in much faster installation and more reliable installation, which as you probably know are the biggest headaches for Nokogiri users.

We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:

• Linux: x86-linux and x86_64-linux -- including musl platforms like alpine
• OSX/Darwin: x86_64-darwin and arm64-darwin

We'd appreciate your thoughts and feedback on this work at #2075.

Dependencies

Ruby

This release introduces support for Ruby 2.7 and 3.0 in the precompiled native gems.

This release ends support for:

• Ruby 2.3, for which official support ended on 2019-03-31 [#1886] (Thanks @ashmaroli!)
• Ruby 2.4, for which official support ended on 2020-04-05
• JRuby 9.1, which is the Ruby 2.3-compatible release.

Gems

• Explicitly add racc as a runtime dependency. [#1988] (Thanks, @voxik!)
• [MRI] Upgrade mini_portile2 dependency from ~> 2.4.0 to ~> 2.5.0 [#2005] (Thanks, @alejandroperea!)

Security

See note below about CVE-2020-26247 in the "Changed" subsection entitled "XML::Schema parsing treats input as untrusted by default".

Added

• Add Node methods for manipulating "keyword attributes" (for example, class and rel): #kwattr_values, #kwattr_add, #kwattr_append, and #kwattr_remove. [#2000]

Commits

• 7be6f04 version bump to v1.11.1
• aa0c399 dev: overhaul .gitignore
• 3d90c6d Merge pull request #2169 from sparklemotion/2168-active-support-test-failure
• bbf850c changelog: update for #2168
• ee69772 ci: another valgrind suppression
• f9a2c4e fix: restore proper error handling in the SAX push parser
• 35aa88b fix(cruby): reset libxml2's error handler in sax and push parsers
• 07459fd fix(test): clobber libxml2's global error handler before every test
• b682ac5 ci: ensure all tests are running setup
• 007662f github: update "installation difficulty" issue template
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)