Home > Mobile >  Is a Ruby 2.x application vulnerable to Nokogiri 1.13.1 vulnerabilities?
Is a Ruby 2.x application vulnerable to Nokogiri 1.13.1 vulnerabilities?

Time:02-24

I have a Ruby 2.5.1 application that uses Nokogiri 1.12.5. bundle audit says I should upgrade to Nokogiri 1.13.2, however "Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)" states

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2

The Wikipedia page for CRuby states that Ruby 2.x uses YARV as its interpreter rather than CRuby.
Am I right to conclude that my application is not vulnerable to this issue with Nokogiri?

Please note, I'm aware that Nokogiri 1.13.3 has since been released which reverts one of these fixes, and that I should be on a more up to date Ruby.

CodePudding user response:

You should upgrade nokogiri to the latest possible for your project, especially when dealing with security issues. There are some caveats to this particular advisory, so you might not be vulnerable, but when dealing with security it's better to be overly cautious.

The note on Wikipedia refers to the MRI CRuby implementation as opposed to the others (like jruby).

Page link:https//www.codepudding.com/Mobile/313330.html

Prev:PID returned by spawn differs from Process.pid of the child process
Next:rename a duplicated IDs pandas
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding