Nokogiri security update v1.10.5

Nokogiri v1.10.5 was released on 2019-10-31.

This is a security release.

Maintainers realized, after the release of v1.10.5, that it addresses CVEs
in upstream libxslt rated as "Priority: Medium" and "Priority: Low" by
Canonical, and "NVD Severity: Medium" by Debian. More details are available
below. More details are available below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
these vulnerabilities.

Full details about the security update are available in Github Issue #1943 (
https://github.com/sparklemotion/nokogiri/issues/1943).

Affects: MRI users of Nokogiri's vendored libraries in Nokogiri <= v1.10.4

Advice: Upgrade to Nokogiri v1.10.5 or later

ยทยทยท

---

## 1.10.5 / 2019-10-31

### Security

[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for
libxslt:

* CVE-2019-13117
* CVE-2019-13118
* CVE-2019-18197

More details are available at #1943.

### Dependencies

* [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
* [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1 Like

Hi, just throwing my 2 cents in here.

Upgrading to Nokogiri 1.10.5 for us broke our CircleCI implementation.

Fix ended up being to also upgrade:
bootsnap (1.4.5)
msgpack (1.3.1)

ยทยทยท

On Mon, Nov 18, 2019 at 5:25 AM Mike Dalessio <mike.dalessio@gmail.com> wrote:

Nokogiri v1.10.5 was released on 2019-10-31.

This is a security release.

Maintainers realized, after the release of v1.10.5, that it addresses CVEs
in upstream libxslt rated as "Priority: Medium" and "Priority: Low" by
Canonical, and "NVD Severity: Medium" by Debian. More details are available
below. More details are available below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
these vulnerabilities.

Full details about the security update are available in Github Issue #1943
(https://github.com/sparklemotion/nokogiri/issues/1943).

Affects: MRI users of Nokogiri's vendored libraries in Nokogiri <= v1.10.4

Advice: Upgrade to Nokogiri v1.10.5 or later

---

## 1.10.5 / 2019-10-31

### Security

[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for
libxslt:

* CVE-2019-13117
* CVE-2019-13118
* CVE-2019-18197

More details are available at #1943.

### Dependencies

* [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
* [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk>

Hi James,

Can I ask that you please open a GitHub issue on Nokogiri? Without any
accompanying information I don't know where to start to diagnose what
you're seeing.

ยทยทยท

On Sun, Nov 17, 2019, 9:11 PM James Middlemiss <james.o.middlemiss@gmail.com> wrote:

Hi, just throwing my 2 cents in here.

Upgrading to Nokogiri 1.10.5 for us broke our CircleCI implementation.

Fix ended up being to also upgrade:
bootsnap (1.4.5)
msgpack (1.3.1)

On Mon, Nov 18, 2019 at 5:25 AM Mike Dalessio <mike.dalessio@gmail.com> > wrote:

Nokogiri v1.10.5 was released on 2019-10-31.

This is a security release.

Maintainers realized, after the release of v1.10.5, that it addresses
CVEs in upstream libxslt rated as "Priority: Medium" and "Priority: Low" by
Canonical, and "NVD Severity: Medium" by Debian. More details are available
below. More details are available below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
these vulnerabilities.

Full details about the security update are available in Github Issue
#1943 (https://github.com/sparklemotion/nokogiri/issues/1943).

Affects: MRI users of Nokogiri's vendored libraries in Nokogiri <= v1.10.4

Advice: Upgrade to Nokogiri v1.10.5 or later

---

## 1.10.5 / 2019-10-31

### Security

[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for
libxslt:

* CVE-2019-13117
* CVE-2019-13118
* CVE-2019-18197

More details are available at #1943.

### Dependencies

* [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
* [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk>

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk>

Hey mate,
Sorry, I did not mean to reply to this larger thread, I meant to forward
elsewhere with more of a "I had a problem here, this fixed it". However,
now that we're here, I'm not sure this is is even a Nokogiri problem. I'll
try to explain:

Dependabot picked up a loofah bump gem "loofah", "~> 2.3.1" >

Which updated GEMS
loofah (2.2.3) to loofah (2.3.1)
and
nokogiri (1.10.4) to nokogiri (1.10.5)

and DEPENDENCIES
loofah (2.2.3) to loofah (2.3.1)

This failed our CI Check >

#!/bin/bash -eo pipefail
bin/rails db:schema:load --trace
Traceback (most recent call last):
17: from bin/rails:6:in `<main>'
16: from bin/rails:6:in `require_relative'
15: from /home/circleci/project/config/boot.rb:6:in `<top (required)>'
14: from /home/circleci/project/config/boot.rb:6:in `require'
13: from
/home/circleci/project/vendor/bundle/gems/bootsnap-1.3.2/lib/bootsnap/setup.rb:1:in
`<top (required)>'
12: from
/home/circleci/project/vendor/bundle/gems/bootsnap-1.3.2/lib/bootsnap/setup.rb:1:in
`require_relative'
11: from
/home/circleci/project/vendor/bundle/gems/bootsnap-1.3.2/lib/bootsnap.rb:3:in
`<top (required)>'
10: from
/home/circleci/project/vendor/bundle/gems/bootsnap-1.3.2/lib/bootsnap.rb:3:in
`require_relative'
9: from
/home/circleci/project/vendor/bundle/gems/bootsnap-1.3.2/lib/bootsnap/load_path_cache.rb:55:in
`<top (required)>'
8: from
/home/circleci/project/vendor/bundle/gems/bootsnap-1.3.2/lib/bootsnap/load_path_cache.rb:55:in
`require_relative'
7: from
/home/circleci/project/vendor/bundle/gems/bootsnap-1.3.2/lib/bootsnap/load_path_cache/store.rb:3:in
`<top (required)>'
6: from
/home/circleci/project/vendor/bundle/gems/bootsnap-1.3.2/lib/bootsnap/explicit_require.rb:39:in
`with_gems'
5: from
/home/circleci/project/vendor/bundle/gems/bootsnap-1.3.2/lib/bootsnap/explicit_require.rb:43:in
`rescue in with_gems'
4: from
/home/circleci/project/vendor/bundle/gems/bootsnap-1.3.2/lib/bootsnap/load_path_cache/store.rb:3:in
`block in <top (required)>'
3: from
/home/circleci/project/vendor/bundle/gems/bootsnap-1.3.2/lib/bootsnap/load_path_cache/store.rb:3:in
`require'
2: from
/home/circleci/project/vendor/bundle/gems/msgpack-1.2.4/lib/msgpack.rb:8:in
`<top (required)>'
1: from
/home/circleci/project/vendor/bundle/gems/msgpack-1.2.4/lib/msgpack.rb:11:in
`rescue in <top (required)>'
/home/circleci/project/vendor/bundle/gems/msgpack-1.2.4/lib/msgpack.rb:11:in
`require': libruby.so.2.6: cannot open shared object file: No such file or
directory -
/home/circleci/project/vendor/bundle/gems/msgpack-1.2.4/lib/msgpack/msgpack.so
(LoadError)
Exited with code 1

I updated bootsnap (1.3.2) to bootsnap (1.4.5)
and msgpack (1.2.4) to msgpack (1.3.1)

Got the CI instance to boot and properly execute.

Sorry for replying to the main thread. That won't happen again.

Best, James.

ยทยทยท

On Mon, Nov 18, 2019 at 1:32 PM Mike Dalessio <mike.dalessio@gmail.com> wrote:

Hi James,

Can I ask that you please open a GitHub issue on Nokogiri? Without any
accompanying information I don't know where to start to diagnose what
you're seeing.

On Sun, Nov 17, 2019, 9:11 PM James Middlemiss < > james.o.middlemiss@gmail.com> wrote:

Hi, just throwing my 2 cents in here.

Upgrading to Nokogiri 1.10.5 for us broke our CircleCI implementation.

Fix ended up being to also upgrade:
bootsnap (1.4.5)
msgpack (1.3.1)

On Mon, Nov 18, 2019 at 5:25 AM Mike Dalessio <mike.dalessio@gmail.com> >> wrote:

Nokogiri v1.10.5 was released on 2019-10-31.

This is a security release.

Maintainers realized, after the release of v1.10.5, that it addresses
CVEs in upstream libxslt rated as "Priority: Medium" and "Priority: Low" by
Canonical, and "NVD Severity: Medium" by Debian. More details are available
below. More details are available below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
these vulnerabilities.

Full details about the security update are available in Github Issue
#1943 (https://github.com/sparklemotion/nokogiri/issues/1943).

Affects: MRI users of Nokogiri's vendored libraries in Nokogiri <=
v1.10.4

Advice: Upgrade to Nokogiri v1.10.5 or later

---

## 1.10.5 / 2019-10-31

### Security

[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs
for libxslt:

* CVE-2019-13117
* CVE-2019-13118
* CVE-2019-18197

More details are available at #1943.

### Dependencies

* [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
* [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org
?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk>

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk>

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk>