🚨 [security] Update loofah: 2.2.2 → 2.3.1 (minor) #213

depfu · 2019-10-24T04:19:44Z

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ loofah (indirect, 2.2.2 → 2.3.1) · Repo · Changelog

Security Advisories 🚨

🚨 Loofah XSS Vulnerability

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in
sanitized output when a crafted SVG element is republished.

🚨 Loofah XSS Vulnerability

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).

Release Notes

2.3.1

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at #171

2.3.0 (from changelog)

Features

Expand set of allowed protocols to include tel: and line:. [#104, #147]

Expand set of allowed CSS functions. [related to #122]

Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)

Allow CSS property list-style [#162] (Thanks, @jaredbeck!)

Allow CSS keywords thick and thin [#168] (Thanks, @georgeclaghorn!)

Allow HTML property contenteditable [#167] (Thanks, @andreynering!)

Bug fixes

CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.

Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.

Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

2.2.3

Notably, this release addresses CVE-2018-16468.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 48 commits:

↗️ crass (indirect, 1.0.4 → 1.0.6) · Repo · Changelog

Release Notes

1.0.6

Number values are now limited to a maximum of Float::MAX and a minimum of negative Float::MAX. (#11)

Added project metadata to the gemspec. (#9 - @orien)

1.0.5

Removed test files from the gem. (#8 - @t-richards)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ mini_portile2 (indirect, 2.3.0 → 2.4.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 10 commits:

↗️ nokogiri (indirect, 1.8.5 → 1.10.10) · Repo · Changelog

Security Advisories 🚨

🚨 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

🚨 Nokogiri gem, via libxslt, is affected by multiple vulnerabilities

Nokogiri v1.10.5 has been released.

This is a security release. It addresses three CVEs in upstream libxml2,
for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
these vulnerabilities.

Full details about the security update are available in Github Issue
[#1943] #1943.

CVE-2019-13117

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings
could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This
could allow an attacker to discern whether a byte on the stack contains the
characters A, a, I, i, or 0, or any other character.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1

CVE-2019-13118

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an
xsl:number instruction was too narrow and an invalid character/length
combination could be passed to xsltNumberFormatDecimal, leading to a read
of uninitialized stack data

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b

CVE-2019-18197

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html

Priority: Medium

Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't
reset under certain circumstances. If the relevant memory area happened to
be freed and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285

🚨 Nokogiri Command Injection Vulnerability

🚨 Nokogiri gem, via libxslt, is affected by improper access control vulnerability

Nokogiri v1.10.3 has been released.

This is a security release. It addresses a CVE in upstream libxslt rated as
"Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More
details are available below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time, though
you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that this patch is not yet (as
of 2019-04-22) in an upstream release of libxslt.

Full details about the security update are available in Github Issue
[#1892] #1892.

CVE-2019-11068

Permalinks are:

Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068

Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068

Description:

libxslt through 1.1.33 allows bypass of a protection mechanism
because callers of xsltCheckRead and xsltCheckWrite permit access
even upon receiving a -1 error code. xsltCheckRead can return -1 for
a crafted URL that is not actually invalid and is subsequently
loaded.

Canonical rates this as "Priority: Medium".

Debian rates this as "NVD Severity: High (attack range: remote)".

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase
Rebases against your default branch and redoes this update

@depfu recreate
Recreates this PR, overwriting any edits that you've made to it

@depfu merge
Merges this PR once your tests are passing and conflicts are resolved

@depfu close
Closes this PR and deletes the branch

@depfu reopen
Restores the branch and reopens this PR (if it's closed)

@depfu pause
Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

sourcelevel-bot · 2020-10-28T19:17:05Z

SourceLevel has finished reviewing this Pull Request and has found:

6 fixed issues! 🎉

See more details about this review.

depfu bot added the depfu label Oct 24, 2019

depfu bot mentioned this pull request Oct 24, 2019

🚨 [security] Update loofah: 2.2.2 → 2.2.3 (patch) #144

Closed

Update loofah to version 2.3.1

bbc4486

depfu bot force-pushed the depfu/update/loofah-2.3.1 branch from 3105196 to bbc4486 Compare October 28, 2020 19:15

depfu bot changed the title ~~🚨 [security] Update loofah: 2.2.2 → 2.3.1 (minor)~~ 🚨 [security] Update loofah: 2.2.2 → 2.3.1 (minor) Oct 28, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🚨 [security] Update loofah: 2.2.2 → 2.3.1 (minor) #213

🚨 [security] Update loofah: 2.2.2 → 2.3.1 (minor) #213

depfu bot commented Oct 24, 2019 •

edited

Loading

sourcelevel-bot bot commented Oct 28, 2020

🚨 [security] Update loofah: 2.2.2 → 2.3.1 (minor) #213

Are you sure you want to change the base?

🚨 [security] Update loofah: 2.2.2 → 2.3.1 (minor) #213

Conversation

depfu bot commented Oct 24, 2019 • edited Loading

What changed?

↗️ loofah (indirect, 2.2.2 → 2.3.1) · Repo · Changelog

2.3.1 / 2019-10-22

Security

2.3.0 (from changelog)

Features

Bug fixes

Deprecations / Name Changes

↗️ crass (indirect, 1.0.4 → 1.0.6) · Repo · Changelog

↗️ mini_portile2 (indirect, 2.3.0 → 2.4.0) · Repo · Changelog

↗️ nokogiri (indirect, 1.8.5 → 1.10.10) · Repo · Changelog

sourcelevel-bot bot commented Oct 28, 2020

depfu bot commented Oct 24, 2019 •

edited

Loading