RubygemsResearch

Sha256: 46b6ac5f8b765ac7e0bed243b9e7395046f49007fade67a9b27d6a45232e9c32

Contents?: true

Size: 1.05 KB

Versions: 3

Compression:

Stored size: 1.05 KB

---
gem: nokogiri
cve: 2018-8048
date: 2018-03-29
url: https://github.com/sparklemotion/nokogiri/pull/1746
title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
description: |
  [MRI] Behavior in libxml2 has been reverted which caused
  CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and
  CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is
  here:

  https://github.com/GNOME/libxml2/commit/960f0e2

  and more information is available about this commit and its impact
  here:

  https://github.com/flavorjones/loofah/issues/144

  This release simply reverts the libxml2 commit in question to protect
  users of Nokogiri's vendored libraries from similar vulnerabilities.

  If you're offended by what happened here, I'd kindly ask that you
  comment on the upstream bug report here:

  https://bugzilla.gnome.org/show_bug.cgi?id=769760

patched_versions:
  - ">= 1.8.3"
related:
  cve:
    - 2018-3740
    - 2018-3741
  url:
    - https://github.com/GNOME/libxml2/commit/960f0e2
    - https://bugzilla.gnome.org/show_bug.cgi?id=769760

Version data entries

3 entries across 3 versions & 2 rubygems

Version	Path
bundler-audit-0.7.0.1	data/ruby-advisory-db/gems/nokogiri/CVE-2018-8048.yml
bundler-budit-0.6.2	data/ruby-advisory-db/gems/nokogiri/CVE-2018-8048.yml
bundler-budit-0.6.1	data/ruby-advisory-db/gems/nokogiri/CVE-2018-8048.yml