Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1565565287172590"
MIME-Version: 1.0
Date: Sun, 11 Aug 2019 23:14:47 +0000
From: "Izumi Tsutsui" <tsutsui@netbsd.org>
Subject: CVS commit: pkgsrc/textproc/ruby-nokogiri
To: pkgsrc-changes@NetBSD.org
Reply-To: tsutsui@netbsd.org
Message-Id: <20190811231448.044E9FBF4@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1565565287172590
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	tsutsui
Date:		Sun Aug 11 23:14:47 UTC 2019

Modified Files:
	pkgsrc/textproc/ruby-nokogiri: Makefile distinfo

Log Message:
ruby-nokogiri: update to 1.10.4.

Upstream changelog:
 https://github.com/sparklemotion/nokogiri/blob/v1.10.4/CHANGELOG.md

# 1.10.4 / 2019-08-07

### Security

#### Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
commands to be executed in a subprocess by Ruby's `Kernel.open` method.
Processes are vulnerable only if the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem
versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate
lexical scanner code for parsing CSS queries. The underlying
vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded
to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is
https://github.com/sparklemotion/nokogiri/issues/1915


To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 pkgsrc/textproc/ruby-nokogiri/Makefile
cvs rdiff -u -r1.33 -r1.34 pkgsrc/textproc/ruby-nokogiri/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1565565287172590
Content-Disposition: inline
Content-Length: 1673
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/textproc/ruby-nokogiri/Makefile
diff -u pkgsrc/textproc/ruby-nokogiri/Makefile:1.46 pkgsrc/textproc/ruby-nokogiri/Makefile:1.47
--- pkgsrc/textproc/ruby-nokogiri/Makefile:1.46	Sat Jun 22 04:11:59 2019
+++ pkgsrc/textproc/ruby-nokogiri/Makefile	Sun Aug 11 23:14:47 2019
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.46 2019/06/22 04:11:59 tsutsui Exp $
+# $NetBSD: Makefile,v 1.47 2019/08/11 23:14:47 tsutsui Exp $
 
-DISTNAME=	nokogiri-1.10.3
+DISTNAME=	nokogiri-1.10.4
 CATEGORIES=	textproc
 
 MAINTAINER=	tsutsui@NetBSD.org

Index: pkgsrc/textproc/ruby-nokogiri/distinfo
diff -u pkgsrc/textproc/ruby-nokogiri/distinfo:1.33 pkgsrc/textproc/ruby-nokogiri/distinfo:1.34
--- pkgsrc/textproc/ruby-nokogiri/distinfo:1.33	Sat Jun 22 04:11:59 2019
+++ pkgsrc/textproc/ruby-nokogiri/distinfo	Sun Aug 11 23:14:47 2019
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.33 2019/06/22 04:11:59 tsutsui Exp $
+$NetBSD: distinfo,v 1.34 2019/08/11 23:14:47 tsutsui Exp $
 
-SHA1 (nokogiri-1.10.3.gem) = 28e34a5d5cfcf6ddc75ddf689c3fda4c6708d8ad
-RMD160 (nokogiri-1.10.3.gem) = f109d98f3605e541805d5f4b5fd7d1f104c463a5
-SHA512 (nokogiri-1.10.3.gem) = a73b613964cfa712c574cc8b8366f461ba51647a001ccb1845853c5846de450f1631311d1ea6c776d74c0f06a146869cc283d670cb99de229945c8743be6cbc8
-Size (nokogiri-1.10.3.gem) = 8983040 bytes
+SHA1 (nokogiri-1.10.4.gem) = 528336a1ebac4758a01c643c0ad0031a33febe2c
+RMD160 (nokogiri-1.10.4.gem) = bbe35df76428c10446ebc16f7d1e2bd65ff6c0b8
+SHA512 (nokogiri-1.10.4.gem) = 4d852546d430d7de3da79d0b4006f71e9a909779a824530ced5df79a76dfd79ddc0415caa9f9bde582399abb816ea279de0fea6cdd40eafa0652347fb86aa220
+Size (nokogiri-1.10.4.gem) = 8983040 bytes


--_----------=_1565565287172590--