Upgrading `nokogiri` gem due to security vulnerability by juchem · Pull Request #256 · airbnb/synapse

juchem · 2018-04-23T22:59:51Z

Note that this upgrade changes minimum required ruby version from
1.9.3-p551 to 2.1.8.

$ bundle audit check
Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Vulnerabilities found!

Reviewers: @chase-childers @lap1817

Note that this upgrade changes minimum required ruby version from 1.9.3-p551 to 2.1.8. ``` $ bundle audit check Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Vulnerabilities found! ```

jolynch · 2018-04-24T00:36:13Z

@jnb this may impact Yelp's deployment? I'm not sure if you guys have upgraded to Ruby 2.1 yet?

juchem · 2018-04-24T01:58:35Z

We're still evaluating whether this is the proper solution.

juchem added 2 commits April 23, 2018 15:59

removing CI for versions that are not supported anymore

7ba5388

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrading `nokogiri` gem due to security vulnerability#256

Upgrading `nokogiri` gem due to security vulnerability#256
juchem wants to merge 2 commits intomasterfrom
mj-nokogiri

juchem commented Apr 23, 2018

Uh oh!

jolynch commented Apr 24, 2018

Uh oh!

juchem commented Apr 24, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

juchem commented Apr 23, 2018

Uh oh!

jolynch commented Apr 24, 2018

Uh oh!

juchem commented Apr 24, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants