spec.add_dependency "nokogiri", ">= 1.6"
Would it be possible to back-merge these changes to a version that could work with Rails 4.2? We have a few apps that rely on the gem rails-dom-testing, which locks us to that version, and keeps us from updating Nokogiri to fix this CVE.
Walter
> On Sep 19, 2017, at 12:18 PM, Mike Dalessio <mike.d...@gmail.com> wrote:
>
> nokogiri version 1.8.1 has been released.
>
> This is primarily a security update, wherein the vendored libxml2 and libxslt versions have been updated:
> • libxml 2.9.5
> • libxslt 1.1.30
> which address the CVEs called out in USN3424-1 [1].
>
> These patches only apply when using Nokogiri's vendored libxml2 library. If you're using your distro's system libraries, there's no security need to upgrade at this time.
>
> Full details are available at this github issue [2].
>
> [1]: https://usn.ubuntu.com/usn/usn-3424-1/
> [2]: https://github.com/sparklemotion/nokogiri/issues/1673
>
>
> Full changelog entry:
>
> ## Dependencies
>
> * [MRI] libxml2 is updated from 2.9.4 to 2.9.5.
> * [MRI] libxslt is updated from 1.1.29 to 1.1.30.
> * [MRI] optional dependency on the pkg-config gem has had its constraint loosened to `~> 1.1` (from `~> 1.1.7`). [#1660]
> * [MRI] Upgrade mini_portile2 dependency from `~> 2.2.0` to `~> 2.3.0`, which will validate checksums on the vendored libxml2 and libxslt tarballs before using them.
>
>
> ## Bugs
>
> * NodeSet#first with an integer argument longer than the length of the NodeSet now correctly clamps the length of the returned NodeSet to the original length. [#1650] (Thanks, @Derenge!)
> * [MRI] Ensure CData.new raises TypeError if the `content` argument is not implicitly convertible into a string. [#1669]
>
>
> --
> You received this message because you are subscribed to the Google Groups "nokogiri-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-talk+unsubscribe@googlegroups.com.
> To post to this group, send email to nokogi...@googlegroups.com.
> Visit this group at https://groups.google.com/group/nokogiri-talk.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "nokogiri-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-talk+unsubscribe@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-tal...@googlegroups.com.
> To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-tal...@googlegroups.com.
> To post to this group, send email to nokogi...@googlegroups.com.
> Visit this group at https://groups.google.com/group/nokogiri-talk.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "nokogiri-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-tal...@googlegroups.com.
To post to this group, send email to nokogi...@googlegroups.com.
Visit this group at https://groups.google.com/group/nokogiri-talk.
For more options, visit https://groups.google.com/d/optout.