Project

General

Profile

Actions
Copy link

Defect #26183

closed

Use Nokogiri 1.7.2

Added by Go MAEDA over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jean-Philippe Lang
Category:
Security
Target version:
3.2.7
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:
3.2.6

Description

Redmine 3.3-stable / 3.2-stable uses Nokogiri 1.6.8 but version from 1.6.8 from 1.7.1 has some security issues (see https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md for details).

Fixed in 1.7.2:

  • CVE-2017-5029
  • CVE-2016-4738

Fixed in 1.7.1:

  • CVE-2016-4658
  • CVE-2016-5131

We should use Nokogiri >= 1.7.2 but unfortunately it requires Ruby >= 2.1.0 (see r16167). The attached patch uses Nokogiri ~> 1.7.2 if RUBY_VERSION >= 2.1.0.

I received this report from Sho Hashimoto.

Files

use-nokogiri-1_7_2.diff (429 Bytes) use-nokogiri-1_7_2.diff Go MAEDA, 2017-06-17 11:34

Related issues

Related to Redmine - Feature #25538: Drop support for Ruby 2.2.1 and ealier, 2.2.2+ is now requiredClosedJean-Philippe Lang

Actions
Related to Redmine - Defect #27505: Cannot install nokogiri 1.7 on Windows Ruby 2.4Closed

Actions
Actions
Copy link

Also available in: Atom PDF