Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump loofah from 2.2.2 to 2.2.3 #8

Closed
wants to merge 1 commit into from
Closed

[Security] Bump loofah from 2.2.2 to 2.2.3 #8

wants to merge 1 commit into from

Conversation

greysteil
Copy link

Bumps loofah from 2.2.2 to 2.2.3. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Loofah XSS Vulnerability
In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Patched versions: >= 2.2.3
Unaffected versions: none

Release notes

Sourced from loofah's releases.

v2.2.3

Notably, this release addresses CVE-2018-16468.

Changelog

Sourced from loofah's changelog.

2.2.3 / 2018-10-30

Security

Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at https://github-redirect.dependabot.com/flavorjones/loofah/issues/154

Meta / 2018-10-27

The mailing list is now on Google Groups #146:

This change was made because librelist no longer appears to be maintained.

Commits
  • cb3dbfa version bump to v2.2.3 and update CHANGELOG
  • 71e4b54 remove the svg animate attribute from from the allowlist
  • 3556e2b add formatting to CHANGELOG
  • ac7c50d updated mailing list to a new Google Group
  • de6b0f3 extract msword html data into an asset file
  • See full diff in compare view

Dependabot compatibility score

Would still love you to use Dependabot on this repo - it's free and will make your life better, I promise! You'd also be helping us help the community, because it would let us feed back any bugs your test suite surfaces to maintainers.

@dependabot-support
[Security] Bump loofah from 2.2.2 to 2.2.3
5d86443 
Bumps [loofah](https://github.com/flavorjones/loofah) from 2.2.2 to 2.2.3. **This update includes security fixes.**
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md)
- [Commits](flavorjones/loofah@v2.2.2...v2.2.3)

Signed-off-by: dependabot[bot] <[email protected]>
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission, we really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@greysteil
Copy link
Author

I'm not going to port the Rack security update across to this repo because I don't want you to feel like I'm spamming you with them, or to assume it's an automated process, but if you take a look at this you probably also want to update Rack to 2.0.6.

@djbender djbender self-assigned this Jun 19, 2019
@djbender
Copy link
Contributor

Closing per discussion in #5. We'll get these updated separately.

@djbender djbender closed this Jun 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@djbender djbender

Labels
Waiting: CLA Needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@greysteil @CLAassistant @djbender @dependabot-support