Update Nokogiri to 1.8.2
There is one security issue found in the lixml2
(2.9.5
) vendored in nokogiri
: https://github.com/sparklemotion/nokogiri/issues/1714
-
omnibus-gitlab
is not vulnerable since it already shipslixml2@2.9.6
: https://github.com/sparklemotion/nokogiri/issues/1714#issuecomment-361113310 - source installation however are still vulnerable since we're currently using
nokogiri@1.8.1
These issues are fixed in nokogiri@1.8.2
.
@kathyw Does this need to be fixed in a security release or should we just update the gem in a normal release workflow?
- Ruby security mailing list: https://groups.google.com/forum/#!msg/ruby-security-ann/p3CHpWZDqMA/QDbJRY8LAgAJ
- Nokogiri issue: https://github.com/sparklemotion/nokogiri/issues/1714
- CVE-2017-15412: https://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-15412.html
/cc @stanhu @rspeicher