Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade gem loofa to '>= 2.19.1' - MAY require Rails update. #1102

Open
Janell-Huyck opened this issue Nov 3, 2023 · 0 comments
Open

Upgrade gem loofa to '>= 2.19.1' - MAY require Rails update. #1102

Janell-Huyck opened this issue Nov 3, 2023 · 0 comments
Milestone
Security and Main...

Comments

@Janell-Huyck
Copy link
Contributor

Our gem rails-html-sanitizer is already using loofa ~> 2.3, and our gem bulkrax is using loofa >=2.2.3. It is unclear what is causing us to have 2.18.0 pinned in Gemfile.lock, but I suspect it may be our Rails version.

No noted breaking changes in loofa changelog from 2.18.0 to 2.19.1.

bundler-audit messages:

Name: loofah
Version: 2.18.0
CVE: CVE-2022-23515
GHSA: GHSA-228g-948r-83gx
Criticality: Medium
URL: GHSA-228g-948r-83gx
Title: Improper neutralization of data URIs may allow XSS in Loofah
Solution: upgrade to '>= 2.19.1'

Name: loofah
Version: 2.18.0
CVE: CVE-2022-23514
GHSA: GHSA-486f-hjj9-9vhh
Criticality: High
URL: GHSA-486f-hjj9-9vhh
Title: Inefficient Regular Expression Complexity in Loofah
Solution: upgrade to '>= 2.19.1'

Name: loofah
Version: 2.18.0
CVE: CVE-2022-23516
GHSA: GHSA-3x8r-x6xp-q4vm
Criticality: High
URL: GHSA-3x8r-x6xp-q4vm
Title: Uncontrolled Recursion in Loofah
Solution: upgrade to '>= 2.19.1'
@scherztc scherztc added this to the Security and Maintenance milestone Apr 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Security and Maintenance
Development

No branches or pull requests
2 participants
@scherztc @Janell-Huyck