[ANN] nokogiri security update 1.7.1 released
32 views
Skip to first unread message
Mike Dalessio
Mar 19, 2017, 11:50:29 PM3/19/17
to ruby-talk, nokogiri-talk, ruby-sec...@googlegroups.com
nokogiri version 1.7.1 has been released.
This is a security update based on 1.7.0.1, addressing two upstream libxml 2.9.4 vulnerabilities classified as "Medium" by Canonical, and CVSS3 score of "5.3 Medium" by RedHat.
These patches only apply when using Nokogiri's vendored libxml2 package. If you're using your distro's system libraries, there's no need to upgrade from 1.7.0.1 at this time.
-----
# 1.7.1 / 2017-03-19
## Security Notes
[MRI] Upstream libxml2 patches are applied to the vendored libxml 2.9.4 which address CVE-2016-4658 and CVE-2016-5131.
For more information:
* https://github.com/sparklemotion/nokogiri/issues/1615
* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4658.html
* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5131.html
## Dependencies
* [Windows only] Upgrade zlib from 1.2.8 to 1.2.11 (unless --use-system-libraries)
This is a security update based on 1.7.0.1, addressing two upstream libxml 2.9.4 vulnerabilities classified as "Medium" by Canonical, and CVSS3 score of "5.3 Medium" by RedHat.
These patches only apply when using Nokogiri's vendored libxml2 package. If you're using your distro's system libraries, there's no need to upgrade from 1.7.0.1 at this time.
Full details are available at the github issue linked to in the changelog below.
-----
# 1.7.1 / 2017-03-19
## Security Notes
[MRI] Upstream libxml2 patches are applied to the vendored libxml 2.9.4 which address CVE-2016-4658 and CVE-2016-5131.
For more information:
* https://github.com/sparklemotion/nokogiri/issues/1615
* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4658.html
* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5131.html
## Dependencies
* [Windows only] Upgrade zlib from 1.2.8 to 1.2.11 (unless --use-system-libraries)
Reply all
Reply to author
Forward
0 new messages