Project

General

Profile

Actions

Defect #38539

closed

Update Nokogiri to 1.15.2 in 5.0-stable and 4.2-stable

Added by A Fora 10 months ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Here's the details:

Name: activesupport
Version: 6.1.7.2
CVE: CVE-2023-28120
GHSA: GHSA-pj73-v5mw-pm9j
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
Title: Possible XSS Security Vulnerability in SafeBuffer#bytesplice
Solution: upgrade to '~> 6.1.7, >= 6.1.7.3', '>= 7.0.4.3'

Name: nokogiri
Version: 1.13.10
GHSA: GHSA-pxvg-2qj5-37jq
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq
Title: Update packaged libxml2 to v2.10.4 to resolve multiple CVEs
Solution: upgrade to '>= 1.14.3'

Vulnerabilities found!

Related issues

Related to Redmine - Patch #38181: Update Nokogiri to 1.15.2ClosedGo MAEDA

Actions
Related to Redmine - Patch #38374: Update Rails to 6.1.7.6ClosedGo MAEDA

Actions
Actions #1

Updated by Holger Just 10 months ago

Actions #2

Updated by Holger Just 10 months ago

Actions #3

Updated by Holger Just 10 months ago

The Rails vulnerability does (very likely) not affect Redmine 5.0. To quote the announcement:

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Redmine 5.0.x does not support Ruby 3.2. As such, it is (very likely) not affected by this issue. Still, we have updated the Rails version with #38374. This change will be released with Redmine 5.0.6.

The case with Nokogiri is a bit more complex. With Redmine, we support several older Ruby versions for which there are no Nokogiri releases anymore. This results in more complex version dependencies.

Yet, with Redmine 5.0, we are currently still pinning Nokogiri to ~> 1.13.10 for newer Rubies. This must be adapted to use ~> 1.14.3 for Ruby >= 2.7.0 only as nokogiri ended support for Ruby 2.6 with their 1.14.0 release. This can be fixed by adapting the version selection for nokogiri in the Gemfile.

For Redmine 4.2, this should be

gem 'nokogiri', (if Gem.ruby_version < Gem::Version.new('2.5.0')
                   '~> 1.10.10'
                 elsif Gem.ruby_version < Gem::Version.new('2.6.0')
                   '~> 1.12.5'
                 elsif Gem.ruby_version < Gem::Version.new('2.7.0')
                   '~> 1.13.10'
                 else
                   '~> 1.15.2'
                 end)

For Redmine 5.0, we can skip the first check as Redmine 5.0 supports only Ruby >= 2.5.0:

gem 'nokogiri', (if Gem.ruby_version < Gem::Version.new('2.6.0')
                   '~> 1.12.5'
                 elsif Gem.ruby_version < Gem::Version.new('2.7.0')
                   '~> 1.13.10'
                 else
                   '~> 1.15.2'
                 end)

For the trunk, we support only Ruby >= 2.7, so we can just use

gem 'nokogiri', '~> 1.15.2'
Actions #4

Updated by Holger Just 10 months ago

  • Status changed from New to Confirmed
Actions #5

Updated by Holger Just 9 months ago

  • Assignee set to Go MAEDA

Maeda-san, could you have a look at the changes in #note-3? Note that just edited my comment with the current nokogiri versions.

As for regularly updating the nokogiri versions, we may still want to consider just relaxing the dependency at least in trunk to something like '~> 1.15' so that any new versions are automatically used on bundle update. As nokogori marks their gem versions with supported Ruby versions, all bundler versions used with Ruby > 2.7 should be able to find the most recent supported version on their own. See #37100 for a more refined proposal regarding dependency updates.

Actions #6

Updated by Go MAEDA 9 months ago

  • Subject changed from Ruby vulnerabilities reported for v.5.0.5 (I cant select 5.0.5 from versions list) to Update Nokogiri to 1.15.2
  • Target version set to 4.2.11
Actions #7

Updated by Go MAEDA 9 months ago

  • Subject changed from Update Nokogiri to 1.15.2 to Update Nokogiri to 1.15.2 in 5.0-stable and 4.2-stable
  • Status changed from Confirmed to Closed
  • Resolution set to Fixed

Committed the patch in #note-5 in r22259 and r22260. Thank you.

Actions

Also available in: Atom PDF