"Nokogiri v1.10.5 was released on 2019-10-31."
Name: nokogiri Version: 1.10.4 Advisory: CVE-2020-7595 Criticality: High URL: https://github.com/sparklemotion/nokogiri/issues/1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.10.4 Advisory: CVE-2019-13117 Criticality: Unknown URL: https://github.com/sparklemotion/nokogiri/issues/1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5
(In reply to Anton Bolshakov from comment #1) > Name: nokogiri > Version: 1.10.4 > Advisory: CVE-2020-7595 > Criticality: High > URL: https://github.com/sparklemotion/nokogiri/issues/1992 > Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation > Solution: upgrade to >= 1.10.8 > > Name: nokogiri > Version: 1.10.4 > Advisory: CVE-2019-13117 > Criticality: Unknown > URL: https://github.com/sparklemotion/nokogiri/issues/1943 > Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities > Solution: upgrade to >= 1.10.5 File security bugs so we don't lose track of 'em, but here libxml and libxslt aren't vendored, so these were fixed by the blocker bug (yay). It's not actually a 'depends on' anymore because the bump & stabilisation is done, so I'll move that. We also have 1.10.10 since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebccde55faac914ea96b744a9723b2ee542f2152 (15th August) so I'm going to tentatively close. Thanks for the comment btw.
FYI there is now bug 742458 to stable nokogiri 1.10.10.
