Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrading nokogiri gem due to security vulnerability #256

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Upgrading nokogiri gem due to security vulnerability #256

wants to merge 2 commits into from

Conversation

juchem
Copy link
Contributor

@juchem juchem commented Apr 23, 2018

Note that this upgrade changes minimum required ruby version from
1.9.3-p551 to 2.1.8.

$ bundle audit check
Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Vulnerabilities found!

Reviewers: @chase-childers @lap1817

@juchem
Upgrading nokogiri gem due to security vulnerability
fa1cb60 
Note that this upgrade changes minimum required ruby version from
1.9.3-p551 to 2.1.8.

```
$ bundle audit check
Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Vulnerabilities found!
```
@juchem
removing CI for versions that are not supported anymore
7ba5388
@jolynch
Copy link
Collaborator

jolynch commented Apr 24, 2018

@jnb this may impact Yelp's deployment? I'm not sure if you guys have upgraded to Ruby 2.1 yet?

@juchem
Copy link
Contributor Author

juchem commented Apr 24, 2018

We're still evaluating whether this is the proper solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@juchem @jolynch