Defect #26183
closedUse Nokogiri 1.7.2
0%
Description
Redmine 3.3-stable / 3.2-stable uses Nokogiri 1.6.8 but version from 1.6.8 from 1.7.1 has some security issues (see https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md for details).
Fixed in 1.7.2:
- CVE-2017-5029
- CVE-2016-4738
Fixed in 1.7.1:
- CVE-2016-4658
- CVE-2016-5131
We should use Nokogiri >= 1.7.2 but unfortunately it requires Ruby >= 2.1.0 (see r16167). The attached patch uses Nokogiri ~> 1.7.2 if RUBY_VERSION >= 2.1.0.
I received this report from Sho Hashimoto.
Files
Related issues
Updated by Toshi MARUYAMA over 7 years ago
- Project changed from 2 to Redmine
- Subject changed from Use Nokogiri 1.7.2 if possible to Nokogiri 1.7.2
- Category set to Security
Updated by Toshi MARUYAMA over 7 years ago
Backport USN-3235-1 to 1.6.8.x stream
https://github.com/sparklemotion/nokogiri/pull/1640
Updated by Toshi MARUYAMA over 7 years ago
- Related to Feature #25538: Drop support for Ruby 2.2.1 and ealier, 2.2.2+ is now required added
Updated by Toshi MARUYAMA over 7 years ago
Nokogiri team refused to maintain old release for old Ruby.
https://github.com/sparklemotion/nokogiri/pull/1640#issuecomment-309409944
Updated by Holger Just over 7 years ago
In that case, there is not much we can do, besides advising people that it might be a good idea to use a more modern Ruby. People who still require the use of older Rubies (e.g. because they can't or are not allowed to install newer versions) have to deal with the security implications this might bring. They can still use nokogiri 1.6.8 securely if they use a (patched) libxml version from their OS.
As for removing the support for older ruby versions: my comments in #25538 still stand.
Updated by Jean-Philippe Lang over 7 years ago
- Subject changed from Nokogiri 1.7.2 to Use Nokogiri 1.7.2
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
Updated by Toshi MARUYAMA about 7 years ago
- Related to Defect #27505: Cannot install nokogiri 1.7 on Windows Ruby 2.4 added