fix security alert issue CVE-2018-14404

abego · abego · commit 6ad39ed2a408 · 2019-01-19T17:07:13.000+01:00
1 nokogiri vulnerability found in docs/Gemfile.lock Remediation Upgrade nokogiri to version 1.8.5 or later. Details CVE-2018-14404 More information moderate severity Vulnerable versions: < 1.8.5 Patched version: 1.8.5 A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.
diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock
@@ -70,7 +70,7 @@ GEM
       listen (= 3.1.5)
       mercenary (~> 0.3)
       minima (= 2.4.0)
-      nokogiri (>= 1.8.1, < 2.0)
+      nokogiri (>= 1.8.5, < 2.0)
       rouge (= 2.2.1)
       terminal-table (~> 1.4)
     github-pages-health-check (1.4.0)
@@ -81,7 +81,7 @@ GEM
       typhoeus (~> 1.3)
     html-pipeline (2.7.1)
       activesupport (>= 2)
-      nokogiri (>= 1.4)
+      nokogiri (>= 1.8.5)
     http_parser.rb (0.6.0)
     i18n (0.9.5)
       concurrent-ruby (~> 1.0)
@@ -207,7 +207,7 @@ GEM
     minitest (5.11.3)
     multipart-post (2.0.0)
     net-dns (0.8.0)
-    nokogiri (1.8.2)
+    nokogiri (>= 1.8.5)
       mini_portile2 (~> 2.3.0)
     octokit (4.8.0)
       sawyer (~> 0.8.0, >= 0.5.3)
