Hello community,
here is the log from the commit of package rubygem-nokogiri for
openSUSE:Factory checked in at 2019-08-19 20:54:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-nokogiri (Old)
and /work/SRC/openSUSE:Factory/.rubygem-nokogiri.new.22127 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-nokogiri"
Mon Aug 19 20:54:22 2019 rev:43 rq:723538 version:1.10.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-nokogiri/rubygem-nokogiri.changes
2019-06-12 13:00:29.217311526 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-nokogiri.new.22127/rubygem-nokogiri.changes
2019-08-19 20:54:55.745001504 +0200
@@ -1,0 +2,19 @@
+Mon Aug 12 06:55:08 UTC 2019 - Manuel Schnitzer <[email protected]>
+
+- updated to version 1.10.4 (CVE-2019-5477)
+
+ A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
+ commands to be executed in a subprocess by Ruby's `Kernel.open` method.
+ Processes are vulnerable only if the undocumented method
+ `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user
+ input.
+
+ This vulnerability appears in code generated by the Rexical gem
+ versions v1.0.6 and earlier. Rexical is used by Nokogiri to
+ generate lexical scanner code for parsing CSS queries. The
+ underlying vulnerability was addressed in Rexical v1.0.7 and
+ Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
+
+ This CVE's public notice is
https://github.com/sparklemotion/nokogiri/issues/1915
+
+-------------------------------------------------------------------
Old:
----
nokogiri-1.10.3.gem
New:
----
nokogiri-1.10.4.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-nokogiri.spec ++++++
--- /var/tmp/diff_new_pack.pfFjSd/_old 2019-08-19 20:54:59.653000666 +0200
+++ /var/tmp/diff_new_pack.pfFjSd/_new 2019-08-19 20:54:59.673000661 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-nokogiri
-Version: 1.10.3
+Version: 1.10.4
Release: 0
%define mod_name nokogiri
%define mod_full_name %{mod_name}-%{version}
@@ -33,16 +33,16 @@
%define rb_build_versions ruby25 ruby26
%define rb_build_ruby_abis ruby:2.5.0 ruby:2.6.0
%endif
-BuildRequires: libxml2-devel >= 2.6.21
-BuildRequires: libxslt-devel
BuildRequires: %{rubygem mini_portile2:2.3}
BuildRequires: %{rubygem pkg-config}
+BuildRequires: libxml2-devel >= 2.6.21
+BuildRequires: libxslt-devel
# /MANUAL
BuildRoot: %{_tmppath}/%{name}-%{version}-build
-BuildRequires: ruby-macros >= 5
BuildRequires: %{rubydevel >= 2.3.0}
BuildRequires: %{rubygem gem2rpm}
BuildRequires: %{rubygem rdoc > 3.10}
+BuildRequires: ruby-macros >= 5
BuildRequires: update-alternatives
Source: https://rubygems.org/gems/%{mod_full_name}.gem
Source1: rubygem-nokogiri-rpmlintrc
@@ -74,7 +74,6 @@
rm -rf %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/ports
# /MANUAL
-
%gem_packages
%changelog
++++++ gem2rpm.yml ++++++
--- /var/tmp/diff_new_pack.pfFjSd/_old 2019-08-19 20:54:59.741000647 +0200
+++ /var/tmp/diff_new_pack.pfFjSd/_new 2019-08-19 20:54:59.745000646 +0200
@@ -9,7 +9,7 @@
# ## used by gem2rpm
# :license: MIT or Ruby
# ## used by gem2rpm and gem_packages
-# :version_suffix: -x_y
+# :version_suffix: '-1.10'
# ## used by gem2rpm and gem_packages
# :disable_docs: true
# ## used by gem2rpm
++++++ nokogiri-1.10.3.gem -> nokogiri-1.10.4.gem ++++++
/work/SRC/openSUSE:Factory/rubygem-nokogiri/nokogiri-1.10.3.gem
/work/SRC/openSUSE:Factory/.rubygem-nokogiri.new.22127/nokogiri-1.10.4.gem
differ: char 134, line 1
