Depfu

🚨 [security] Update commonmarker 0.17.13 → 0.23.10 (major)

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we’ve sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we’ll send you a few more. We’ll never open more than seven PRs at the same time so you’re not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ commonmarker (indirect, 0.17.13 → 0.23.10) · Repo · Changelog

Security Advisories 🚨

🚨 Several quadratic complexity bugs may lead to denial of service in Commonmarker

Impact

Several quadratic complexity bugs in commonmarker's underlying
cmark-gfm library may
lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

CVE-2023-37463

For more information, consult the release notes for version
0.29.0.gfm.12.

Mitigation

Users are advised to upgrade to commonmarker version
0.23.10.

🚨 Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service

Impact

Several quadratic complexity bugs in commonmarker's underlying
cmark-gfm library may lead to unbounded resource exhaustion and
subsequent denial of service.

The following vulnerabilities were addressed:

CVE-2023-24824

CVE-2023-26485

For more information, consult the release notes for versions
0.23.0.gfm.10 and 0.23.0.gfm.11.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.9

🚨 Several quadratic complexity bugs may lead to denial of service in Commonmarker

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm
library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

CVE-2023-22483

CVE-2023-22484

CVE-2023-22485

CVE-2023-22486

For more information, consult the release notes for version
0.23.0.gfm.7.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.7.

🚨 Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored
Markdown. A polynomial time complexity issue
in cmark-gfm's autolink extension may lead to unbounded resource exhaustion
and subsequent denial of service.

Patches

This vulnerability has been patched in the following CommonMarker release:

v0.23.6

Workarounds

Disable use of the autolink extension.

References

https://en.wikipedia.org/wiki/Time_complexity

🚨 Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown.
An integer overflow in cmark-gfm's table row parsing
may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX
columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.

If affected versions of CommonMarker are used for rendering remote user controlled markdown, this
vulnerability may lead to Remote Code Execution (RCE).

Patches

This vulnerability has been patched in the following CommonMarker release:

v0.23.4

Workarounds

The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling any use of the
table extension will prevent this vulnerability from being triggered.

🚨 Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption

Impact

CommonMarker uses cmark-gfm for rendering
Github Flavored Markdown.
An integer overflow in cmark-gfm's table row parsing
may lead to heap memory corruption when parsing tables who's marker
rows contain more than UINT16_MAX columns. The impact of this heap
corruption ranges from Information Leak to Arbitrary Code Execution.

If affected versions of CommonMarker are used for rendering remote
user controlled markdown, this vulnerability may lead to
Remote Code Execution (RCE).

Patches

This vulnerability has been patched in the following CommonMarker release:

v0.23.4

Workarounds

The vulnerability exists in the table markdown extensions of
cmark-gfm. Disabling any use of the table extension will prevent
this vulnerability from being triggered.

References

GHSA-mc3g-88wq-6f4x

Acknowledgements

We would like to thank Felix Wilhelm of Google's Project Zero
for reporting this vulnerability

For more information

If you have any questions or comments about this advisory:

Open an issue in CommonMarker

Release Notes

0.23.10

What's Changed

Update to 0.29.0.gfm.13 by @anticomputer in #247

Full Changelog: v0.23.9...v0.23.10

0.23.9

What's Changed

Update to 0.29.0.gfm.11 by @anticomputer in #236

Full Changelog: v0.23.8...v0.23.9

0.23.8

What's Changed

Update cmark-upstream to 0.29.0.gfm.9 by @smockle in #227

New Contributors

@smockle made their first contribution in #227

Full Changelog: v0.23.7...v0.23.8

0.23.7

What's Changed

C API stable test by @gjtorikian in #201

Update to 29.0.gfm.7 by @anticomputer in #224

Full Changelog: v0.23.6...v0.23.7

0.23.6

What's Changed

This release includes two updates from the upstream cmark-gfm library, namely:

DoS vulnerability in autolink extension per GHSA-cgh3-p57x-9q7q

Added xmpp: and mailto: support to the autolink extension

0.22.0

Drop ruby-enum (#140)

0.21.0

Add support for tasklist_item_checked=: #116

0.19.0

Support tasklists: #94

Indicate the context of a parse/render option error: #97

0.18.0

Default to being safe: #81

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ github-pages (200 → 228) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Sorry, we couldn’t find anything useful about this release.

↗️ activesupport (indirect, 4.2.11.1 → 5.2.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:
data = cache.fetch("demo", raw: true) { untrusted_string }
Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ addressable (indirect, 2.7.0 → 2.8.5) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service in Addressable templates

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption,
leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input,
but nonetheless, no previous security advisory for Addressable has cautioned against doing this.
Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Release Notes

2.8.5 (from changelog)

Fix thread safety issue with encoding tables (#515)

Define URI::NONE as a module to avoid serialization issues (#509)

Fix YAML serialization (#508)

2.8.4 (from changelog)

Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

2.8.3 (from changelog)

Fix template expand level 2 hash support for non-string objects (#499, #498)

2.8.2 (from changelog)

Improve cache hits and JIT friendliness (#486)

Improve code style and test coverage (#482)

Ensure reset of deferred validation (#481)

Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)

Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

2.8.1 (from changelog)

refactor Addressable::URI.normalize_path to address linter offenses (#430)

remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438)

update gemspec to reflect supported Ruby versions (#466, #464, #463)

compatibility w/ public_suffix 5.x (#466, #465, #460)

fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)

Ractor compatibility (#449)

use the whole string instead of a single line for template match (#431)

force UTF-8 encoding only if needed (#341)

2.8.0 (from changelog)

fixes ReDoS vulnerability in Addressable::Template#match

no longer replaces + with spaces in queries for non-http(s) schemes

fixed encoding ipv6 literals

the :compacted flag for normalized_query now dedupes parameters

fix broken escape_component alias

dropping support for Ruby 2.0 and 2.1

adding Ruby 3.0 compatibility for development tasks

drop support for rack-mount and remove Addressable::Template#generate

performance improvements

switch CI/CD to GitHub Actions

Does any of this look wrong? Please let us know.

↗️ concurrent-ruby (indirect, 1.1.5 → 1.2.2) · Repo · Changelog

Release Notes

1.2.2

concurrent-ruby 1.2.2:

(#993) Fix arguments passed to Concurrent::Map's default_proc.

1.2.1

concurrent-ruby 1.2.1:

(#990) Add missing require 'fiber' for FiberLocalVar.

(#989) Optimize Concurrent::Map#[] on CRuby by letting the backing Hash handle the default_proc.

1.2.0

concurrent-ruby 1.2.0:

(#975) Set the Ruby compatibility version at 2.3

(#962) Fix ReentrantReadWriteLock to use the same granularity for locals as for Mutex it uses.

(#983) Add FiberLocalVar

(#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'

(#976) Let Promises.any_fulfilled_future take an Event

Improve documentation of various classes

(#972) Remove Rubinius-related code

concurrent-ruby-edge 0.7.0:

(#975) Set the Ruby compatibility version at 2.3

(#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'

(#972) Remove Rubinius-related code

1.1.10

concurrent-ruby:

(#951) Set the Ruby compatibility version at 2.2

(#939, #933) The caller_runs fallback policy no longer blocks reads from the job queue by worker threads

(#938, #761, #652) You can now explicitly prune_pool a thread pool (Sylvain Joyeux)

(#937, #757, #670) We switched the Yahoo stock API for demos to Alpha Vantage (Gustavo Caso)

(#932, #931) We changed how SafeTaskExecutor handles local jump errors (Aaron Jensen)

(#927) You can use keyword arguments in your initialize when using Async (Matt Larraz)

(#926, #639) We removed timeout from TimerTask because it wasn't sound, and now it's a no-op with a warning (Jacob Atzen)

(#919) If you double-lock a re-entrant read-write lock, we promote to locked for writing (zp yuan)

(#915) monotonic_time now accepts an optional unit parameter, as Ruby's clock_gettime (Jean Boussier)

1.1.9 (from changelog)

concurrent-ruby:

(#866) Child promise state not set to :pending immediately after #execute when parent has completed

(#905, #872) Fix RubyNonConcurrentPriorityQueue#delete method

(2df0337d) Make sure locks are not shared on shared when objects are dup/cloned

(#900, #906, #796, #847, #911) Fix Concurrent::Set tread-safety issues on CRuby

(#907) Add new ConcurrentMap backend for TruffleRuby

1.1.8 (from changelog)

(#885) Fix race condition in TVar for stale reads

(#884) RubyThreadLocalVar: Do not iterate over hash which might conflict with new pair addition

1.1.7 (from changelog)

concurrent-ruby:

(#879) Consider falsy value on Concurrent::Map#compute_if_absent for fast non-blocking path

(#876) Reset Async queue on forking, makes Async fork-safe

(#856) Avoid running problematic code in RubyThreadLocalVar on MRI that occasionally results in segfault

(#853) Introduce ThreadPoolExecutor without a Queue

1.1.6 (from changelog)

concurrent-ruby:

(#841) Concurrent.disable_at_exit_handlers! is no longer needed and was deprecated.

(#841) AbstractExecutorService#auto_terminate= was deprecated and has no effect. Set :auto_terminate option instead when executor is initialized.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ dnsruby (indirect, 1.61.3 → 1.70.0) · Repo

Commits

See the full diff on Github. The new version differs by 22 commits:

↗️ em-websocket (indirect, 0.5.1 → 0.5.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 24 commits:

↗️ ethon (indirect, 0.12.0 → 0.16.0) · Repo · Changelog

Release Notes

0.15.0 (from changelog)

Full Changelog

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ execjs (indirect, 2.7.0 → 2.8.1) · Repo

Release Notes

2.8.1

Wait for STDOUT to be flushed before exiting the node runtime

2.8.0

Fix Ruby 3.0 compatibility on Windows

Undefine console, process and other globals. See #43

Removed the RubyRacer runtime as it is no longer maintained and broken on recent rubies.

Node runtime look for node before nodejs.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

↗️ faraday (indirect, 0.16.2 → 2.7.10) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ffi (indirect, 1.11.1 → 1.15.5) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ github-pages-health-check (indirect, 1.16.1 → 1.17.9) · Repo

Release Notes

1.17.9

What's Changed

Fix IPv6 support (AAAA records validation) in #140

Full Changelog: v1.17.8...v1.17.9

1.17.8

What's Changed

Require bundler in script/check to avoid needing to run bundle exec. by @jriggins in #137

Remove Travis builds by @jriggins in #138

Add AAAA Support by @jriggins in #136

Bump version to 1.17.8 by @jriggins in #139

Full Changelog: v1.17.7...v1.17.8

1.17.6

Query DNS to Determine Apex Domains

1.17.2

Allows for non-200 requests to satisfy served_by_pages? if the response still looks like it was served by GitHub.

1.17.1

Update Cloudflare IPs.

1.17.0

Fix CI which is broken on master #115 (by @kytrinyx)

Silence warnings triggered by Ruby 2.7 #116 (by @kytrinyx)

Update dependencies to be compatible with Ruby 2.7 #117 (by @kytrinyx)

Update dotenv requirement from ~> 1.0 to ~> 2.7 #120 (dependabot)

Update gem-release requirement from ~> 0.7 to ~> 2.1 #119 (dependabot)

Update webmock requirement from ~> 1.21 to ~> 3.8 #118 (dependabot)

Upgrade to Ruby 2.7 & incorporate a Dockerfile #121 (by @parkr & @MarkTiedemann)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 66 commits:

↗️ html-pipeline (indirect, 2.12.0 → 2.14.3) · Repo · Changelog

Release Notes

2.14.0

Make Rinku configurable: #335

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 54 commits:

↗️ http_parser.rb (indirect, 0.6.0 → 0.8.0) · Repo

Commits

See the full diff on Github. The new version differs by 53 commits:

↗️ i18n (indirect, 0.9.5 → 1.14.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll (indirect, 3.8.5 → 3.9.3) · Repo · Changelog

Release Notes

3.9.3

Bug Fixes

3.9.x: Support i18n 1.x (#9269)

Backport #8880 for v3.9.x: Support both tzinfo v1 and v2 alongwith
non-half hour offsets (#9280)

Development Fixes

v3.9.x: test under Ruby 3.2 #9272)

v3.9.x: fix rdiscount test (#9277)

3.9.2

Bug Fixes

Lock http_parser.rb gem to v0.6.x on JRuby (#8943)

Backport #8756 for v3.9.x: Respect collections_dir config within include tag (#8795)

Backport #8965 for v3.9.x: Fix response header for content served via jekyll serve (#8976)

Development Fixes

Update and fix CI for 3.9-stable on Ruby 3.x (#8942)

Fix CI for commits to 3.9-stable branch (#8788)

3.9.1

Bug Fixes

Backport #8618 for v3.9.x: Update include tag to be more permissive (#8629)

3.9.0

Minor Enhancements

Allow use of kramdown v2 (#8322)

Add default language for kramdown syntax highlighting (#8325)

3.8.7

Fixes

Prevent console warnings with Ruby 2.7 (#7948)

3.8.6

Bug Fixes

Update log output for an invalid theme directory (#7734)

Memoize SiteDrop#documents to reduce allocations (#7722)

Excerpt handling of custom and intermediate tags (#7467)

Escape valid special chars in a site's path name (#7573)

Revert memoizing Site#docs_to_write and refactor #documents (#7689)

Fix broken include_relative usage in excerpt (#7690)

Install platform-specific gems as required (3c06609)

Security Fixes

Theme gems: ensure directories aren't symlinks (#7424)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-avatar (indirect, 0.6.0 → 0.7.0) · Repo · Changelog

Release Notes

0.7.0

What's Changed

Update rubocop-jekyll requirement from ~> 0.9.0 to ~> 0.10.0 (#38) @dependabot-preview

Cache parsed host url to reduce allocations (#36) @ashmaroli

Avoid unnecessary allocations for empty strings (#34) @ashmaroli

Allow use and testing with Jekyll 4.0 (#32) @ashmaroli

Lint with rubocop-jekyll (#33) @ashmaroli

Update rake requirement from ~> 10.0 to ~> 12.3 (#22) @dependabot-preview

Fix passing username as variable docs in README.md (#20) @chrismytton

update readme (#19) @kenman345

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

↗️ jekyll-commonmark (indirect, 1.3.1 → 1.4.0) · Repo · Changelog

Release Notes

1.4.0

Minor Enhancements

Require at least commonmarker-0.22 (#44)

Highlight fenced code-block contents with Rouge (#29)

Bug Fixes

Refactor away extra abstractions (#53)

Development Fixes

DRY begin-rescue-end block with a private helper (#28)

Fix failing CI builds (#33)

Remove gemspec dependency on Jekyll (#34)

Test rendering with invalid configuration (#27)

Refactor to improve readability (#37)

Set up Continuous Integration via GH Actions (#46)

Clean up gemspec (#47)

Add workflow to release gem via GH Actions (#54)

Documentation

Update README to link to commonmarker (#38)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 42 commits:

↗️ jekyll-commonmark-ghpages (indirect, 0.1.5 → 0.4.0) · Repo

Release Notes

0.2.0

What's Changed

Bump commonmarker to the latest version by @yoannchaudet in #21

New Contributors

@yoannchaudet made their first contribution in #21

Full Changelog: v0.1.6...v0.2.0

Does any of this look wrong? Please let us know.

Sorry, we couldn’t find anything useful about this release.

↗️ jekyll-feed (indirect, 0.11.0 → 0.15.1) · Repo · Changelog

Release Notes

0.15.1

Bug Fixes

MetaTag: when encoding for XML special characters, handle non-string objects (#326)

0.15.0

Minor Enhancements

Add support for drafts (#316)

0.14.0

Minor Enhancements

add support for categories (#153) (#233)

add support for tags (#264)

Make posts limit configurable (#314)

XML escape the title field of feed_meta (#306)

Bug Fixes

Fix feed link when post title contains HTML (#305)

Development Fixes

Use Dir to list source files (#309)

Require Ruby >=2.4.0 (#307)

0.13.0

Minor Enhancements

Excerpt only flag (#287)

Add media:content tag (#290)

Development Fixes

test: use categories in post (#249)

0.12.1

Release: v0.12.0 (#271)

Bug Fixes

Re-introduce Ruby 2.3 support and test Jekyll 3.7+ (#272)

0.12.0

Allow Jekyll v4 (still alpha)

Development Fixes

style: fix offenses in specs (#248)

dev: update CI and style settings (#258)

Enable testing for Windows platform (#265)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 57 commits:

↗️ jekyll-github-metadata (indirect, 2.12.1 → 2.13.0) · Repo · Changelog

Release Notes

2.13.0

Minor Enhancements

Lessen Jekyll dependency (#164)

Enable support for topics property (#166)

Allow detecting archived or disabled repos (#176)

Bug Fixes

Conditionally memoize certain private methods in EditLinkTag (#163)

Fix faraday connectionfailed issue (#178)

MetadataDrop: don't use instance variable to check mutations (#173)

Documentation Fixes

List the fields this repo generates for site.github (#171)

Use HTML entities to prevent Liquid from processing this documentation (#172)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

↗️ jekyll-mentions (indirect, 1.4.1 → 1.6.0) · Repo · Changelog

Release Notes

1.6.0

Minor Enhancements

Allow configuring base URL in page front matter (#72)

Incorporate document data only if it has override (#73)

Development Fixes

ci: test against Jekyll 4.0

style: target Ruby 2.4

ignore vendor/bundle

Bug Fixes

Support handling body tag across multiple lines (#70)

1.5.1

Bug Fixes

Re-introduce Ruby 2.3 support and test with Jekyll 3.7 and beyond (#69)

1.5.0

Development Fixes

Allow Jekyll v4 (still alpha)

Drop support for Ruby 2.3

chore(deps): rubocop-jekyll 0.3 (#65)

Reintroduce style checks (#67)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ jekyll-optional-front-matter (indirect, 0.3.0 → 0.3.2) · Repo

Release Notes

0.3.2

Support Jekyll 4.x (#20) @leleabhinav

update documentation (#15) @kenman345

Update README.md for Usage (#13) @ketozhang

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 46 commits:

↗️ jekyll-readme-index (indirect, 0.2.0 → 0.3.0) · Repo

Release Notes

0.3.0

Jekyll 4.x support (#16)

Add with_frontmatter option to README (#12) @KrzysztofKarol

Add support for readmes with front matter (#11) @qwtel

update documentation (#10) @kenman345

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 46 commits:

↗️ jekyll-redirect-from (indirect, 0.14.0 → 0.16.0) · Repo · Changelog

Release Notes

0.16.0

Minor Enhancements

Allows generation of redirects.json to be disabled (#207)

Allow redirects from and for subclasses of page and document (#204)

Bug Fixes

Use Hash#key? instead of Hash#keys.any? (#201)

Development Fixes

Target Ruby 2.4

Stop testing with backwards-compatible site config (#211)

Documentation

Simplifies YAML for redirect_to (#185)

0.15.0

Development Fixes

chore(deps): rubocop-jekyll 0.3 (#187)

Bug Fixes

Allow testing and using with Jekyll 4.x (#196)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ jekyll-relative-links (indirect, 0.6.0 → 0.6.1) · Repo

Release Notes

0.6.1

Support for Jekyll 4.x

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ jekyll-remote-theme (indirect, 0.4.0 → 0.4.3) · Repo

Release Notes

0.4.3

Updated to use HEAD instead of master as default branch (#87) @IanLee1521

Added extra context to error message when remote theme download fails (#85) @IanLee1521

Require kramdown-parser-gfm to fix travis (#86) @benbalter

Fixes #76 (#77) @orchardcc

0.4.2

Jekyll 4.0 support (#61)

0.4.1

Update jekyll requirement from ~> 3.5 to >= 3.5, < 5.0 (#54) @dependabot-preview

Require rubyzip to version 1.3.0 or later

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ jekyll-seo-tag (indirect, 2.5.0 → 2.8.0) · Repo · Changelog

Release Notes

2.8.0

Minor Enhancements

Allow to set type for author (#427)

Allow setting author.url (#453)

Implement Facebook domain verification (#455)

Add og:image:alt and twitter:image:alt (#438)

Sort JSON-LD data by key (#458)

Bug Fixes

Set the default og:type to 'website' (#391)

Template: Remove double new line (#454)

Development Fixes

Fix typo in source code comment (#449)

Set up Continuous Integration via GH Actions (#450)

Bump RuboCop to v1.18.x (#452)

Add workflow to release gem via GH Actions

2.7.1

Development Fixes

refactor: mutate site payload instead of duplicating it (#419)

2.7.0

Minor Enhancements

Change pagination message with seo_paginator_message option (#324)

Make Twitter Summary Card without having Twitter account (#284)

Prefer site.tagline to site.description for page title (#356)

Render og:locale meta only when defined explicitly (#388)

Bug Fixes

Ensure a single leading @ for twitter usernames (#367)

Development Fixes

chore(deps): require Ruby > 2.4.0 EOL

test: fix locale specs that use the fallback locale (#360)

refactor: Replace read-only empty hash with private constant (#418)

refactor: Mutate hash literals instead of duplicating them (#417)

refactor: Reduce allocations of instance-agnostic objects (#376)

refactor: Memoize #author_hash in SeoTag::AuthorDrop (#342)

refactor: simplify conditional in SeoTag::Drop#date_modified (#343)

chore(ci): profile seo-tag plugin on a third-party repository (#414)

chore(ci): Jekyll v4.0 (#372)

chore(ci): test against current stable Ruby 2.5 and 2.7 (#385)

style: align with latest jekyll-rubocop (#382)

fix: Travis builds for Jekyll 3.x (#415)

Documentation

Structured Data Testing Tool is deprecated (#409)

Rename Google webmaster tools to Google Search Console (#403)

Improve documentation on plugin usage (#399)

remove Google+ from example snippet (#358)

HTTPS link to https://ogp.me/ (#359)

HTTPS links to schema.org (#350)

use example.com for example URL (#351)

2.6.1

Development Fixes

Test against Jekyll 4.x (#336)

2.6.0

Minor Enhancements

Twitter Image and Title (#330)

Bug Fixes

Do not cache the drop payload for SeoTag (#306)

Update url of schema website (#296)

Development Fixes

Relax version constraint on Bundler (#325)

chore(ci): Add Ruby 2.6, drop Ruby 2.3 (#326)

chore (ci): remove deprecated sudo: false in .travis.yml (#333)

Lint Ruby code with rubocop-jekyll gem (#302)

chore(deps): bump rubocop-jekyll to v0.4 (#320)

chore(deps): bump rubocop-jekyll to v0.3 (#316)

Correct RuboCop offenses in spec files (#319)

Documentation

Rectify error in Usage documentation (#328)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-sitemap (indirect, 1.2.0 → 1.4.0) · Repo · Changelog

Release Notes

1.4.0

Minor Enhancements

Avoid overwriting an existing robots.txt (#246)

Bug Fixes

Simulate last_modified_at injection by plugin (#256)

1.3.1

Bug Fixes

Update plugin metadata and dev environment (#244)

Development Fixes

Lock requirement for jekyll-last-modified-at to >= 1.0

1.3.0

Allow Jekyll v4 (still alpha)

Documentation

Add PDF file exclusion documentation (#213)

Correct capitalization of GitHub (#207)

Development Fixes

Use Ruby 2.3 and Rubocop 0.55 (#214)

chore(deps): rubocop-jekyll-0.3 (#227)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

↗️ jekyll-swiss (indirect, 0.4.0 → 1.0.0) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ jekyll-theme-architect (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #48

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ jekyll-theme-cayman (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #133

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 45 commits:

↗️ jekyll-theme-dinky (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #22

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

↗️ jekyll-theme-hacker (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add Google Analytics to head-custom.html to allow easier customization of the GA code #79

0.1.2

Allow Jekyll v4

Return to home on click page title #47

Show full header h1 for smaller displays #49

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

↗️ jekyll-theme-leap-day (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Added styled KBD tag, like in primer theme #47 (thanks, @gebeto)

Remove 'auto' from padding since it's not a valid padding #57

Add head-custom.html to allow easier customization of the <head> #56

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

↗️ jekyll-theme-merlot (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #10

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ jekyll-theme-midnight (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add Google Analytics to head-custom.html to allow easier customization of the GA code #37

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

↗️ jekyll-theme-minimal (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #119

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ jekyll-theme-modernist (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Replace linear_gradient with linear-gradient() CSS function #17

Add head-custom.html to allow easier customization of the <head> #16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 27 commits:

↗️ jekyll-theme-primer (indirect, 0.5.3 → 0.6.0) · Repo

Release Notes

0.6.0

Add head-custom.html to allow easier customization of the #61

0.5.4

Update Primer CSS

Add default layout to post, page, and home layouts

Lessen Jekyll dependency

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 40 commits:

↗️ jekyll-theme-slate (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #66

Added styled KBD tag, like in primer theme #47 (thanks, @gebeto)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ jekyll-theme-tactile (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #23

Fall back code font-family to monospace #21 (thanks @lkslawek)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

↗️ jekyll-theme-time-machine (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #22

Added styled KBD tag, like in primer theme #13 (thanks @gebeto)

Fix show_downloads #16 (thanks @deargle)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ jekyll-titles-from-headings (indirect, 0.5.1 → 0.5.3) · Repo

Release Notes

0.5.3

Support jekyll 4 and change Ruby version for travisci (#59) @leleabhinav

Add case for hashes at the end of lines (#38) @MineRobber9000

Fix error when stripping title from a page with frozen content (#32) @robotdana

update documentation (#35) @kenman345

Strip title from excerpt (#28) @qwtel

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

↗️ jemoji (indirect, 0.10.2 → 0.12.0) · Repo · Changelog

Release Notes

0.12.0

Minor Enhancements

perf: don't load Gemoji into memory immediately (#106)

Development Fixes

deps: Ruby > 2.4 (EOL)

ci: test with Ruby 2.7

0.11.1

Bug fix

Support handling body tag across multiple lines (#96)

0.11.0

Development fixes

Test against Jekyll v4

Remove deprecated sudo:false in Travis config

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

↗️ kramdown (indirect, 1.17.0 → 2.3.2) · Repo · Changelog

Security Advisories 🚨

🚨 Remote code execution in Kramdown

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters
namespace, and thus arbitrary classes can be instantiated.

🚨 Unintended read access in kramdown gem

The kramdown gem before 2.3.0 for Ruby processes the template option inside
Kramdown documents by default, which allows unintended read access (such as
template="/etc/passwd") or unintended embedded Ruby code execution (such as a
string that begins with template="string://<%= `). NOTE: kramdown is used in
Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

↗️ liquid (indirect, 4.0.0 → 4.0.4) · Repo · Changelog

Release Notes

4.0.3 (from changelog)

Fixed

Fix break and continue tags inside included templates in loops (#1072) [Justin Li]

4.0.2 (from changelog)

Changed

Add where filter (#1026) [Samuel Doiron]

Add ParseTreeVisitor to iterate the Liquid AST (#1025) [Stephen Paul Weber]

Improve strip_html performance (#1032) [printercu]

Fixed

Add error checking for invalid combinations of inputs to sort, sort_natural, where, uniq, map, compact filters (#1059) [Garland Zhang]

Validate the character encoding in url_decode (#1070) [Clayton Smith]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ listen (indirect, 3.1.5 → 3.8.0) · Repo · Changelog

Release Notes

3.8.0

Use the defined type to the default value of directory (#566) @y-yagi

update ruby version matrix to drop 2.4, 2.5 and add 3.2 (#567) @ColinDKelley

Update ruby version 3.0.4 (#562) @vickyprahastra

Raise argument error when passing a file path (#563) @janko

Fix kwargs matching with rspec-mock 3.12 and Ruby 3+ (#564) @voxik

Disable fail-fast for CI matrix (#555) @ybiquitous

Add Ruby 3.0/3.1 to CI (#554) @ybiquitous

3.7.1

Issue #548: fix error when renaming folder (#552) @ColinDKelley

issue #550: fix README to document start rather than unpause (#551) @ColinDKelley

Issue #543: Ignore emacs backup/swap files by default. (#546) @zw963

3.7.0

issue #509: raise Listen::Error::INotifyMaxWatchesExceeded rather than abort (#545) @ColinDKelley

Plumb Silencer.new and use it #542 spec (#544) @ColinDKelley

fix: Avoid scanning and building entries for silenced directories (#542) @ElMassimo

3.6.0

✨ New Features

#452 for FIPS compatibility, use SHA256 instead of MD5 (#541) @ColinDKelley

3.5.1

Bump required ruby version to v2.4.0 (#536) @cgunther

3.4.0

Issue #510: use monotonic tick count (#512) @ColinDKelley

3.3.4

Don't return incorrect files when there's a file whose name matches a dir (#526) @ghiculescu

added correct link to help debug inotify workers error on linux (#527) @williamkennedy

issue #473: use sudo sh -c so redirection works (#525) @ColinDKelley

issue #473: update README for setting fs.inotify.max_user_watches (#522) @ColinDKelley

issue #451: change windows install instructions to suggest platforms: instead of Gem.win_platform? (#523) @ColinDKelley

put missing wiki content into README (#521) @ColinDKelley

3.3.3

Add project metadata to the gemspec (#519) @orien

3.3.2

Issue #504: tune .rubocop.yml and source code to make it pass all cops (#508) @ColinDKelley

Fix description typo (#515) @ccouzens

3.3.1

issue #513: allow stop when not started (#514) @ColinDKelley

3.3.0

✨ New Features

Use file size to check for modifications (#336) @marawan31

Ignore mutagen sync temporary files (#469) @nilbus

Add GitHub Actions for development workflow. (#485) @ioquatix

Allow Ruby 3 (#490) @yahonda

Add Truffleruby head to CI (#493, #507) @gogainda

Add magic # frozen_string_literal: true comment (#494) @ColinDKelley

🐛 Bug Fixes

Fix: Linux driver listens for :modify events again (#450) @ColinDKelley

Fix: Track removed subdirectories (#460) @bryanlira

Use one fsevent_watch process per listener instead of one per dir (#471) @ioquatix

Wrap Listener instances in WeakRef (#477) @jonathanhefner

Include macOS Big Sur in Adapter::Darwin#usable? (#479) @christiankn

Fix hanging race condition (#481, #500) @ColinDKelley

Remove Listen::Internals::ThreadPool (#483) @jonathanhefner

Tidy up thread killing. Remove JRuby workaround. (#484) @ioquatix

Move thread caller stack and rescue+log to a common place (#487) @ColinDKelley

Unify logging through Listen.logger; add missing logger_spec (#497) @ColinDKelley

Rescue and log application exceptions raised from the Listen.to callback so listening doesn't break in process (#505) @ColinDKelley

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.4.0 → 2.8.4) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minima (indirect, 2.5.0 → 2.5.1) · Repo · Changelog

Release Notes

2.5.1

Minor enhancements

Allow use and testing with Jekyll 4.x (#398)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ minitest (indirect, 5.12.2 → 5.19.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.10.4 → 1.15.3) · Repo · Changelog

Security Advisories 🚨

🚨 Update packaged libxml2 to v2.10.4 to resolve multiple CVEs

Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to
v2.10.4 from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

CVE-2023-29469: Hashing of
empty dict strings isn't deterministic

CVE-2023-28484: Fix null deref
in xmlSchemaFixupComplexType

Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3,
and only if the packaged libraries are being used. If you've overridden defaults at installation
time to use system libraries instead of packaged libraries, you should instead pay attention to
your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.14.3.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these
same issues.

Impact

No public information has yet been published about the security-related issues other than the
upstream commits. Examination of those changesets indicate that the more serious issues relate to
libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

[CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45)

[CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e)

schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7)

🚨 Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE - CWE-252: Unchecked Return Value (4.9)

CWE - CWE-476: NULL Pointer Dereference (4.9)

Credit

This vulnerability was responsibly reported by @davidwilemski.

🚨 Nokogiri affected by libxslt Use of Uninitialized Resource/ Use After Free vulnerability

In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable
isn't reset under certain circumstances. If the relevant memory area
happened to be freed and reused in a certain way, a bounds check could
fail and memory outside a buffer could be written to, or uninitialized
data could be disclosed.

Nokogiri prior to version 1.10.5 contains a vulnerable version of
libxslt. Nokogiri version 1.10.5 upgrades the dependency to
libxslt 1.1.34, which contains a patch for this issue.

🚨 Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing

A vulnerability found in libxml2 in versions before 2.9.11 shows
that it did not propagate errors while parsing XML mixed content,
causing a NULL dereference. If an untrusted XML document was parsed
in recovery mode and post-validated, the flaw could be used to crash
the application. The highest threat from this vulnerability
is to system availability.

🚨 Nokogiri Implements libxml2 version vulnerable to use-after-free

There's a flaw in libxml2 in versions before 2.9.11. An attacker
who is able to submit a crafted file to be processed by an application
linked with libxml2 could trigger a use-after-free. The greatest
impact from this flaw is to confidentiality, integrity, and availability.

🚨 Nokogiri contains libxml Out-of-bounds Write vulnerability

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Nokogiri prior to version 1.11.4 used a vulnerable version of libxml2. Nokogiri 1.11.4 updated libxml2 to version 2.9.11 to address this and other vulnerabilities in libxml2.

🚨 libxslt Type Confusion vulnerability that affects Nokogiri

In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

Nokogiri prior to version 1.10.5 used a vulnerable version of libxslt. Nokogiri 1.10.5 updated libxslt to version 1.1.34 to address this and other vulnerabilities in libxslt.

🚨 Nokogiri implementation of libxslt vulnerable to heap corruption

Type confusion in xsltNumberFormatGetMultipleLevel prior to
libxslt 1.1.33 could allow attackers to potentially exploit heap
corruption via crafted XML data.

Nokogiri prior to version 1.10.5 contains a vulnerable version of
libxslt. Nokogiri version 1.10.5 upgrades the dependency to
libxslt 1.1.34, which contains a patch for this issue.

🚨 Improper Handling of Unexpected Data Type in Nokogiri

Summary

Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers.
For CRuby users, this may allow specially crafted untrusted inputs to cause illegal
memory access errors (segfault) or reads from unrelated memory.

Severity

The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).

Mitigation

CRuby users should upgrade to Nokogiri >= 1.13.6.

JRuby users are not affected.

Workarounds

To avoid this vulnerability in affected applications, ensure the untrusted input is a
String by calling #to_s or equivalent.

🚨 Integer Overflow or Wraparound in libxml2 affects Nokogiri

Summary

Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from
v2.9.13 to v2.9.14.

libxml2 v2.9.14 addresses CVE-2022-29824.
This version also includes several security-related bug fixes for which CVEs were not created,
including a potential double-free, potential memory leaks, and integer-overflow.

Please note that this advisory only applies to the CRuby implementation of Nokogiri
< 1.13.5, and only if the packaged libraries are being used. If you've overridden
defaults at installation time to use system libraries instead of packaged libraries,
you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.5.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation:
compile and link Nokogiri against external libraries libxml2 >= 2.9.14 which will also
address these same issues.

Impact

libxml2 CVE-2022-29824

CVSS3 score:

Unspecified upstream

Nokogiri maintainers evaluate at 8.6 (High) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). Note that this is different from the CVSS assessed by NVD.

Type: Denial of service, information disclosure

Description: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24

All versions of libml2 prior to v2.9.14 are affected.

Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.

References

libxml2 v2.9.14 release notes

CVE-2022-29824

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

🚨 XML Injection in Xerces Java affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to
2.12.2, which addresses CVE-2022-23437.
That CVE is scored as CVSS 6.5 "Medium" on the NVD record.

Please note that this advisory only applies to the JRuby implementation
of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2022-23437 in xerces-J

Severity: Medium

Type: CWE-91 XML Injection (aka Blind XPath Injection)

Description: There's a vulnerability within the Apache Xerces Java
(XercesJ) XML parser when handling specially crafted XML document payloads.
This causes, the XercesJ XML parser to wait in an infinite loop, which may
sometimes consume system resources for prolonged duration. This vulnerability
is present within XercesJ version 2.12.1 and the previous versions.

See also: GHSA-h65f-jvqw-m9fj

🚨 Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11
to 1.2.12, which addresses CVE-2018-25032.
That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.4, and only if the packaged version of zlib is being used.
Please see this document
for a complete description of which platform gems vendor zlib. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's zlib
release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

Severity: High

Type: CWE-787
Out of bounds write

Description: zlib before 1.2.12 allows memory corruption when
deflating (i.e., when compressing) if the input has many distant matches.

🚨 Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to
1.9.22.noko2 which addresses CVE-2022-24839.
That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv
for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

Severity: High 7.5

Type: CWE-400 Uncontrolled Resource Consumption

Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a
java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.

See also: GHSA-9849-p7jc-9rmv

🚨 Inefficient Regular Expression Complexity in Nokogiri

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is
susceptible to excessive backtracking when attempting to detect encoding
in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

🚨 Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)

Summary

Nokogiri v1.13.2 upgrades two of its packaged dependencies:

vendored libxml2 from v2.9.12 to v2.9.13

vendored libxslt from v1.1.34 to v1.1.35

Those library versions address the following upstream CVEs:

libxslt: CVE-2021-30560 (CVSS 8.8, High severity)

libxml2: CVE-2022-23308 (Unspecified severity, see more information below)

Those library versions also address numerous other issues including performance
improvements, regression fixes, and bug fixes, as well as memory leaks and other
use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's libxml2
and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link an older version Nokogiri against external libraries
libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.

Impact

libxslt CVE-2021-30560

CVSS3 score: 8.8 (High)

Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c

All versions of libxslt prior to v1.1.35 are affected.

Applications using untrusted XSL stylesheets to transform XML are vulnerable to
a denial-of-service attack and should be upgraded immediately.

libxml2 CVE-2022-23308

As of the time this security advisory was published, there is no officially
published information available about this CVE's severity. The above NIST link
does not yet have a published record, and the libxml2 maintainer has declined
to provide a severity score.

Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12

Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html

The upstream commit and the explanation linked above indicate that an application
may be vulnerable to a denial of service, memory disclosure, or code execution if
it parses an untrusted document with parse options DTDVALID set to true, and NOENT
set to false.

An analysis of these parse options:

While NOENT is off by default for Document, DocumentFragment, Reader, and
Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri
v1.12.0 and later.

DTDVALID is an option that Nokogiri does not set for any operations, and so
this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse
option DTDVALID when parsing untrusted documents is vulnerable and should be
upgraded immediately.

🚨 Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)

Impact

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.

Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:

Nokogiri::XML::SAX::Parser

Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser

Nokogiri::XML::SAX::PushParser

Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser

Mitigation

JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.

CRuby users are not affected.

🚨 Update packaged dependency libxml2 from 2.9.10 to 2.9.12

Summary

Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses:

CVE-2019-20388 (Medium severity)

CVE-2020-24977 (Medium severity)

CVE-2021-3517 (Medium severity)

CVE-2021-3518 (Medium severity)

CVE-2021-3537 (Low severity)

CVE-2021-3541 (Low severity)

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.11.4, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.11.4.

Impact

I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete.

All information below is sourced from security.archlinux.org, which appears to have the most up-to-date information as of this analysis.

CVE-2019-20388

Severity: Medium

Type: Denial of service

Description: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service.

Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2020-7595

Severity: Medium

Type: Denial of service

Description: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5

This has been patched in Nokogiri since v1.10.8 (see #1992).

CVE-2020-24977

Severity: Medium

Type: Information disclosure

Description: GNOME project libxml2 <= 2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.

Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3516

Severity: Medium

Type: Arbitrary code execution (no remote vector)

Description: A use-after-free security issue was found libxml2 before version 2.9.11 when "xmllint --html --push" is used to process crafted files.

Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539

Verified that the fix commit first appears in v2.9.11. This vector does not exist within Nokogiri, which does not ship xmllint.

CVE-2021-3517

Severity: Medium

Type: Arbitrary code execution

Description: A heap-based buffer overflow was found in libxml2 before version 2.9.11 when processing truncated UTF-8 input.

Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3518

Severity: Medium

Type: Arbitrary code execution

Description: A use-after-free security issue was found in libxml2 before version 2.9.11 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files.

Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3537

Severity: Low

Type: Denial of service

Description: It was found that libxml2 before version 2.9.11 did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application.

Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3541

Severity: Low

Type: Denial of service

Description: A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into DTDLOAD which is off by default).

For more details supporting this analysis of this CVE, please visit #2233.

🚨 Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema
are trusted by default, allowing external resources to be accessed over the
network, potentially enabling XXE or SSRF attacks.

This behavior is counter to
the security policy followed by Nokogiri maintainers, which is to treat all input
as untrusted by default whenever possible.

Please note that this security
fix was pushed into a new minor version, 1.11.x, rather than a patch release to
the 1.10.x branch, because it is a breaking change for some schemas and the risk
was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

There are no known workarounds for affected versions. Upgrade to Nokogiri
1.11.0.rc4 or later.

If, after upgrading to 1.11.0.rc4 or later, you wish
to re-enable network access for resolution of external resources (i.e., return to
the previous behavior):

Ensure the input is trusted. Do not enable this option
for untrusted input.

When invoking the Nokogiri::XML::Schema constructor,
pass as the second parameter an instance of Nokogiri::XML::ParseOptions with the
NONET flag turned off.

So if your previous code was:
# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)

# in v1.11.0.rc4 and later, the following is equivalent to the code above
# (the second parameter is optional, and this demonstrates its default value)
schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)
Then you can add the second parameter to indicate that the input is trusted by changing it to:
# in v1.11.0.rc3 and earlier, this would raise an ArgumentError
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)

🚨 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

🚨 Nokogiri gem, via libxslt, is affected by multiple vulnerabilities

Nokogiri v1.10.5 has been released.

This is a security release. It addresses three CVEs in upstream libxml2,
for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
these vulnerabilities.

Full details about the security update are available in Github Issue
[#1943] #1943.

CVE-2019-13117

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings
could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This
could allow an attacker to discern whether a byte on the stack contains the
characters A, a, I, i, or 0, or any other character.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1

CVE-2019-13118

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an
xsl:number instruction was too narrow and an invalid character/length
combination could be passed to xsltNumberFormatDecimal, leading to a read
of uninitialized stack data

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b

CVE-2019-18197

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html

Priority: Medium

Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't
reset under certain circumstances. If the relevant memory area happened to
be freed and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ octokit (indirect, 4.14.0 → 4.25.1) · Repo · Changelog

Security Advisories 🚨

🚨 Octokit gem published with world-writable files

Impact

Versions 4.23.0
and 4.24.0 of the octokit gem
were published containing world-writeable files.

Specifically, the gem was packed
with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r--
(i.e. 0644). This means everyone who is not the owner (Group and Public) with access
to the instance where this release had been installed could modify the world-writable
files from this gem.

Malicious code already present and running on your machine,
separate from this package, could modify the gem’s files and change its behavior
during runtime.

Patches

octokit 4.25.0

Workarounds

Users can use the previous version of the gem v4.22.0.
Alternatively, users can modify the file permissions manually until they are able
to upgrade to the latest version.

Release Notes

4.25.1

Stop configuring Faraday's retry middleware twice (@Edouard-chin)

Fix various Ruby warnings (e.g. missing parentheses) (@coryf)

4.25.0

✅ NOTE: This remediates A security advisory was published on versions 4.23.0 and 4.24.0 of this gem. You can read more about this in the published security advisory. ✅

DX Improvements

Rubocop improvements by @timrogers in #1441

Require multi-factor authentication to push new releases to RubyGems by @timrogers in #1443

CI Improvements

Updates all build scripts to be more durable and adds details on how to run a manual file integrity check by @nickfloyd in #1446

Housekeeping

Drop support for Ruby 1.9.2 in Octokit::Client::Contents#create_contents by @timrogers in #1442

Full Changelog: v4.24.0...v4.25.0

4.24.0

Known issues

Note: This release fixes the issue around autoloading modules causing some modules to not load before use #1428

Code improvements

#1354, #1426 Enabling Ruby's immutable ("frozen") string literals i.e. --enable-frozen-string-literal via @timrogers and @olleolleolle

CI Improvements

Adds Code QL analysis to octokit.rb via @nickfloyd

Bug fixes

#1428 Fixes module loading issue with autoloading (this reverts #1351 ) - more information here via @collinsauve. @waiting-for-dev, @etiennebarrie, @timrogers, and @nickfloyd

Full Changelog: v4.23.0...v4.24.0

4.23.0

Code improvements

#1382 Correctly raise Octokit::TooManyRequests when hitting secondary rate limit via @jasonopslevel

#1411 Adds support for Faraday v2 usage via @skryukov

CI Improvements

#1395 Adds Ruby 3.1 to CI via @petergoldstein

Performance improvements

#1351 Make clients autoload via @gmcgibbon

Bug fixes

#1297 Escape label names with URL characters via @Fryguy

#1375 Escape ref in archive_link via @max611

#1117 & #1419 Ensures that any nil parameters being passed in will initialize with Octokit's defaults instead of nil via @akerl, @nickfloyd

#1321 & #1415 Fixed total_count calculation when paginating results for check runs and check suites via @a2ikm, @matiasalbarello

#1121 Fixes service status methods via @vierarb

Documentation

#1414 replace git.io link in source docs via @wonda-tea-coffee

#1412 Document how and when the SDK raises exceptions via @timrogers

#1356 Fixes grammar and style via @nikoandpiko

Full Changelog: v4.22.0...v4.23.0

4.22.0

Deprecation Fix

#1359 Fix Faraday deprecation warning @ybiquitous

Code Improvements

#1336 Update regex for create ref @thepwagner

#1350 Support pagination in compare api @mrpinsky

CI and dependency updates

#1353 Add Ruby 3.0 support for CI builds @olleolleolle

#1387 Update pry-byebug requirement @ashishkeshan

Documentation

#1376 Update example README code with token filtering @bencolon

#1381 Update organization migration documentation links @rzhade3

4.21.0

API Support

#1319 Add delete workflow run support @szemek

#1322 Add match refs support @AHaymond

#1329 Add rename branch support @gmcgibbon

#1332 Add billing actions support @M-Yamashita01

Error handling

#1324 Handle path diff too large errors @yykamei

Code clean up

#1326 Remove graduated preview headers @ivailop

Documentation

#1314 Update authentication usage @curquiza

#1317 Fix logo link @gjtorikian

#1318 Fix GitHub typo @bl-ue

4.20.0

API Support

#1304 Added the ability to delete a deployment @jer-k

#1308 Add repo vulnerability alerts related functionality for repositories @calvinhughes

Bug fixes

#1309 Paginate outside_collaborators calls @sds

#1316 Uses of FaradayMiddleware#on_complete should not be private @tarebyte

Code improvements

#1131 Add CommitIsNotPartOfPullRequest error @wata727

#1303 Remove integrations preview header @MichaelViveros

#1307 Raise Octokit::InstallationSuspended when another error is received @yykamei

Documentation

#1302 Add documentation on how to specify the ref option for RubyDoc @aomathwift

#1311 Fix Code of Conduct link in Table of Contents @eduardoj

4.19.0

Code Improvements

#1223 Ensure a boolean is returned for application_authenticated @zakallen

#1255 Update api paths in the organization api to take ids @hmharvey

#1260 Fix last_response behavior after failures @JackTLi

#1253 Ensure adapters set SSL options properly @tjwallace

#1270 Add context around rate limit errors @jatindhankhar

API Support

#1252 Introduces support for the ActionWorkflow and ActionWorkflowRun APIs @petar-lazarov

#1236 Support for ActionsSecrets API @jylitalo

#1266 Support for get the authenticated app @kitop

#1281 Support for create a workflow dispatch event @igfoo

#1286 Support installation suspended failures @stmllr

#1288 Support for user migration endpoints @stmllr

Documentation

#1248 Fix documentation link for update a repository @spier

#1269 Update some documentation param names @tarebyte

#1276 Remove dangling phrase in CONTRIBUTING.md @igfoo

#1278 Link related doc in CONTRIBUTING.md @igfoo

#1279 Fix script typo in README.md @igfoo

#1291 Fix typo in authorizations comments @ohbarye

CI and dependency updates

#1206 Increased CI coverage @MSP-Greg

#1243 Add Ruby 2.7 CI support @ybiquitous

#1244 Removed coveralls dependency @hmharvey

#1263 Remove duplicated CI coverage @hmharvey

#1264 Keep running CI on PRs @hmharvey

4.18.0

Documentation

#1200 Fix an API link in the Search client @NickLaMuro

Preview Header Support

#1183 Enable issue events API to return project events @gammons

#1203 Update deprecated application API to new preview @oreoshake

Bug Fixes

#1201 Fix random test failures @MSP-Greg

#1218 Fix incorrect URLs for the Authorizations client @tarebyte

4.17.0

Documentation

#1200 Fix an API link in the Search client @NickLaMuro

Preview Header Support

#1183 Enable issue events API to return project events @gammons

#1203 Update deprecated application API to new preview @oreoshake

Bug Fixes

#1201 Fix random test failures @MSP-Greg

4.16.0

New features

#1187 Support for Commit Branches @tgmachina

Resolve deprecation warnings

#1192 Fix deprecation notice for authentication via query parameters @tarebyte

Documentation

#1137 Clarify force parameter documentation @rmacklin

#1186 Fix team_by_name example @steinbrueckri

#1190 Fix API links in the Apps client @ybiquitous

Tooling updates

#1185 Fix action builds against 4-stable @tarebyte

4.15.0

Preview header support
#1114 Adds drafts preview header @andrew
#1132 Update branch protection preview @spikex

New features
#1133 Support for template repositories @EricPickup
#1136 Add method to find team by name @gallexi
#1153 Add method to delete installation @yykamei
#1151 Add method to update pull request review @eric-silverman
#1162 Support for Commit pulls @tgmachina

Improved error handling
#1115 Add BillingIssue error @stmllr
#1106 Add TooLargeContent error @ybiquitous
#1164 Add SAMLProtected error @tarebyte

Resolve deprecation warnings
#1152 Fix version deprecation warning in ci builds @hmharvey
#1154 Fix faraday error subclass @Gasparila

Documentation
#1123 Add option in the pull request state parameter @4geru
#1135 Fix the contributing doc steps @gallexi
#1134 Fix the code example for update branch @rmacklin
#1139 Add assignee params @4geru
#1138 Update link to new collaborators api @shaunakpp
#1129 Add code of conduct @spikex
#1102 Update readme to point directly to v3 api @binhums

Tooling updates
#1142 Migrated to actions @tarebyte

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ public_suffix (indirect, 3.1.1 → 4.0.7) · Repo · Changelog

Release Notes

4.0.7 (from changelog)

Fixes

Fixed YARD rake task (GH-179)

Changed

Updated definitions.

4.0.6 (from changelog)

Changed

Updated definitions.

4.0.5 (from changelog)

Changed

Updated definitions.

4.0.4 (from changelog)

Changed

Updated definitions.

4.0.3 (from changelog)

Fixed

Fixed 2.7 deprecations and warnings (GH-167). [Thanks @BrianHawley]

4.0.2 (from changelog)

Changed

Updated definitions.

4.0.1 (from changelog)

CHANGED: Updated definitions.

4.0.0 (from changelog)

CHANGED: Minimum Ruby version is 2.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 62 commits:

↗️ rb-fsevent (indirect, 0.10.3 → 0.11.2) · Repo

Release Notes

0.11.2

Avoid modifying string literals #91

0.11.1

rescue Errno::EBADF when closing pipe #92

0.11.0

Add arm64 arch to support Apple M1 guard/rb-fsevent#88

0.10.4

Remove bundler development dependency #85

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ rb-inotify (indirect, 0.10.0 → 0.10.1) · Repo

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ rouge (indirect, 2.2.1 → 3.26.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubyzip (indirect, 2.0.0 → 2.3.2) · Repo · Changelog

Release Notes

2.3.2 (from changelog)

A "dummy" release to warn about breaking changes coming in version 3.0. This updated version uses the Gem post_install_message instead of printing to STDERR.

2.3.1

This is a "dummy" release to warn about breaking changes coming in version 3.0.

2.3.0

Fix frozen string literal error #431

Set OutputStream.write_buffer's buffer to binmode #439

Upgrade rubocop and fix various linting complaints #437 #440

Tooling:

Add a bin/console script for development #420

Update rake requirement (development dependency only) to fix a security alert.

2.2.0

Add support for decompression plugin gems #427

2.1.0

Fix (at least partially) the restore_times and restore_permissions options to Zip::File.new #413

Previously, neither option did anything, regardless of what it was set to. We have therefore defaulted them to false to preserve the current behavior, for the time being. If you have explicitly set either to true, it will now have an effect.

Fix handling of UniversalTime (mtime, atime, ctime) fields. #421

Previously, Zip::File did not pass the options to Zip::Entry in some cases. #423

Note that restore_times in this release does nothing on Windows and only restores mtime, not atime or ctime.

Allow Zip::File.open to take an options hash like Zip::File.new #418

Always print warnings with warn, instead of a mix of puts and warn #416

Create temporary files in the system temporary directory instead of the directory of the zip file #411

Drop unused tmpdir requirement #411

Tooling

Move CI to xenial and include jruby on JDK11 #419

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sawyer (indirect, 0.8.2 → 0.9.2) · Repo

Release Notes

0.9.1

What's Changed

Specify correct minimal Faraday version by @skryukov in #73

New Contributors

@skryukov made their first contribution in #73

Full Changelog: v0.9.0...v0.9.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ typhoeus (indirect, 1.3.1 → 1.4.0) · Repo · Changelog

Release Notes

1.4.0 (from changelog)

Full Changelog

1 feature

Faraday adapter exceptions namespace compatibility with Faraday v1 (@iMacTia in #616)

3 Others

Yard warning fixes (@olleolleolle in #622)

Add more Ruby versions in CI matrix (@olleolleolle in #623)

Use of argument passed in function instead of attr_reader (@v-kolesnikov in #625)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ tzinfo (indirect, 1.2.5 → 1.2.11) · Repo · Changelog

Security Advisories 🚨

🚨 TZInfo relative path traversal vulnerability allows loading of arbitrary files

Impact

Affected versions

0.3.60 and earlier.

1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).

Vulnerability

With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and
later and built-in to earlier versions), time zones are defined in Ruby files.
There is one file per time zone. Time zone files are loaded with require on
demand. In the affected versions, TZInfo::Timezone.get fails to validate
time zone identifiers correctly, allowing a new line character within the
identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be
made to load unintended files with require, executing them within the Ruby
process.

For example, with version 1.2.9, you can run the following to load a file with
path /tmp/payload.rb:
TZInfo::Timezone.get(\"foo\
/../../../../../../../../../../../../../../../../tmp/payload\")
The exact number of parent directory traversals needed will vary depending on
the location of the tzinfo-data gem.

TZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the
Ruby load path. Versions up to and including 1.2.5 can only be made to load
files from directories within the load path.

This could be exploited in, for example, a Ruby on Rails application using
tzinfo version 1.2.9, that allows file uploads and has a time zone selector
that accepts arbitrary time zone identifiers.
The CVSS score and severity have been set on this basis.

Versions 2.0.0 and later are not vulnerable.

Patches

Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone
identifiers.

Note that version 0.3.61 can still load arbitrary files from the Ruby load
path if their name follows the rules for a valid time zone identifier and the
file has a prefix of tzinfo/definition within a directory in the load path.
For example if /tmp/upload was in the load path, then
TZInfo::Timezone.get('foo') could load a file with path
/tmp/upload/tzinfo/definition/foo.rb. Applications should ensure that
untrusted files are not placed in a directory on the load path.

Workarounds

As a workaround, the time zone identifier can be validated before passing to
TZInfo::Timezone.get by ensuring it matches the regular expression
\\A[A-Za-z0-9+\\-_]+(?:\\/[A-Za-z0-9+\\-_]+)*\\z.

Release Notes

1.2.11

Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

TZInfo v1.2.11 on RubyGems.org

1.2.10

Fixed a relative path traversal bug that could cause arbitrary files to be loaded with require when used with RubyDataSource. Please refer to
GHSA-5cm2-9h8c-rvfx for details. CVE-2022-31163.

Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v1.2.10 on RubyGems.org

1.2.9

Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

1.2.8

Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.

Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

1.2.7

Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.

Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

1.2.6

Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.

Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.

Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.

Fixed warnings when running on Ruby 2.7. #106 and #111.

TZInfo v1.2.6 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.