From ce64709d342893ca5b41013c32aa8d29e42f8b68 Mon Sep 17 00:00:00 2001 From: ag Date: Tue, 6 Feb 2024 12:07:27 +0100 Subject: [PATCH] commit by to_remotes 2024-02-06 12:07:27 +0100 from vmdevac --- bundle-audit-time.txt | 2 +- bundle-audit.json | 2 +- report.txt | 10 +++++++++- update-info.txt | 12 ++++++++---- 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/bundle-audit-time.txt b/bundle-audit-time.txt index 8749b66..6df33bf 100644 --- a/bundle-audit-time.txt +++ b/bundle-audit-time.txt @@ -1 +1 @@ -2024-02-05T12:54:37+01:00 +2024-02-06T12:07:25+01:00 diff --git a/bundle-audit.json b/bundle-audit.json index d16f0bf..1702851 100644 --- a/bundle-audit.json +++ b/bundle-audit.json @@ -1 +1 @@ -{"version":"0.9.1","created_at":"2024-02-05 12:54:36 +0100","results":[]} \ No newline at end of file +{"version":"0.9.1","created_at":"2024-02-06 12:07:25 +0100","results":[{"type":"unpatched_gem","gem":{"name":"nokogiri","version":"1.16.0"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml","id":"GHSA-xc9x-jj77-9p9j","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j","title":"Improper Handling of Unexpected Data Type in Nokogiri","date":"2024-02-04","description":"### Summary\n\nNokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5.\n\nlibxml2 v2.12.5 addresses the following vulnerability:\n\nCVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062\ndescribed at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604\npatched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970\n\nPlease note that this advisory only applies to the CRuby implementation of\nNokogiri < 1.16.2, and only if the packaged libraries are being used. If\nyou've overridden defaults at installation time to use system libraries\ninstead of packaged libraries, you should instead pay attention to your\ndistro's libxml2 release announcements.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as **Moderate**.\n\n### Mitigation\n\nUpgrade to Nokogiri >= 1.16.2.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated\nmitigation: compile and link Nokogiri against external libraries libxml2 >=\n2.12.5 which will also address these same issues.\n\nJRuby users are not affected.\n\n### Workarounds\n","cvss_v2":null,"cvss_v3":null,"cve":null,"osvdb":null,"ghsa":"xc9x-jj77-9p9j","unaffected_versions":[],"patched_versions":[">= 1.16.2"],"criticality":null}}]} \ No newline at end of file diff --git a/report.txt b/report.txt index 8900c02..1bcba69 100644 --- a/report.txt +++ b/report.txt @@ -1 +1,9 @@ -No vulnerabilities found +Name: nokogiri +Version: 1.16.0 +GHSA: GHSA-xc9x-jj77-9p9j +Criticality: Unknown +URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j +Title: Improper Handling of Unexpected Data Type in Nokogiri +Solution: upgrade to '>= 1.16.2' + +Vulnerabilities found! diff --git a/update-info.txt b/update-info.txt index 781a450..5beca3d 100644 --- a/update-info.txt +++ b/update-info.txt @@ -1,7 +1,11 @@ Updating ruby-advisory-db ... -Already up to date. +Updating a68eda3..ddfa779 +Fast-forward + gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml | 48 +++++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + create mode 100644 gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml Updated ruby-advisory-db ruby-advisory-db: - advisories: 853 advisories - last updated: 2024-01-24 20:17:59 -0800 - commit: a68eda32fca4a16811aa4e666738632f18aca1ba + advisories: 854 advisories + last updated: 2024-02-05 12:56:34 -0800 + commit: ddfa779959bdb0b6dc600ca450ec1be93a15f3c1