[ANN] nokogiri security update 1.8.1 Released

78 views
Skip to first unread message

Mike Dalessio

unread,
Sep 19, 2017, 12:19:08 PM9/19/17
to nokogiri-talk, ruby-talk, ruby-sec...@googlegroups.com
nokogiri version 1.8.1 has been released.

This is primarily a security update, wherein the vendored libxml2 and libxslt versions have been updated:
  • libxml 2.9.5
  • libxslt 1.1.30
which address the CVEs called out in USN3424-1 [1].

These patches only apply when using Nokogiri's vendored libxml2 library. If you're using your distro's system libraries, there's no security need to upgrade at this time.

Full details are available at this github issue [2].


Full changelog entry:

## Dependencies

* [MRI] libxml2 is updated from 2.9.4 to 2.9.5.
* [MRI] libxslt is updated from 1.1.29 to 1.1.30.
* [MRI] optional dependency on the pkg-config gem has had its constraint loosened to `~> 1.1` (from `~> 1.1.7`). [#1660]
* [MRI] Upgrade mini_portile2 dependency from `~> 2.2.0` to `~> 2.3.0`, which will validate checksums on the vendored libxml2 and libxslt tarballs before using them.


## Bugs

* NodeSet#first with an integer argument longer than the length of the NodeSet now correctly clamps the length of the returned NodeSet to the original length. [#1650] (Thanks, @Derenge!)
* [MRI] Ensure CData.new raises TypeError if the `content` argument is not implicitly convertible into a string. [#1669]

Walter Lee Davis

unread,
Sep 19, 2017, 2:26:34 PM9/19/17
to nokogi...@googlegroups.com
Would it be possible to back-merge these changes to a version that could work with Rails 4.2? We have a few apps that rely on the gem rails-dom-testing, which locks us to that version, and keeps us from updating Nokogiri to fix this CVE.

Walter
> --
> You received this message because you are subscribed to the Google Groups "nokogiri-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-tal...@googlegroups.com.
> To post to this group, send email to nokogi...@googlegroups.com.
> Visit this group at https://groups.google.com/group/nokogiri-talk.
> For more options, visit https://groups.google.com/d/optout.

Andrew Selder

unread,
Sep 19, 2017, 2:28:20 PM9/19/17
to nokogi...@googlegroups.com
I just updated. Nokogiri 1.8.1 works with Rails 4.2.7.1

Andrew

Mike Dalessio

unread,
Sep 19, 2017, 10:23:56 PM9/19/17
to nokogiri-talk
Walter, it looks like rails-dom-testing [1] specifies this dependency on nokogiri:

spec.add_dependency "nokogiri", ">= 1.6"

Can you help me understand by providing a bit more information about why you're having issues using Nokogiri 1.8.1?


On Tue, Sep 19, 2017 at 2:26 PM, Walter Lee Davis <wa...@wdstudio.com> wrote:
Would it be possible to  back-merge these changes to a version that could work with Rails 4.2? We have a few apps that rely on the gem rails-dom-testing, which locks us to that version, and keeps us from updating Nokogiri to fix this CVE.

Walter

> On Sep 19, 2017, at 12:18 PM, Mike Dalessio <mike.d...@gmail.com> wrote:
>
> nokogiri version 1.8.1 has been released.
>
> This is primarily a security update, wherein the vendored libxml2 and libxslt versions have been updated:
>       • libxml 2.9.5
>       • libxslt 1.1.30
> which address the CVEs called out in USN3424-1 [1].
>
> These patches only apply when using Nokogiri's vendored libxml2 library. If you're using your distro's system libraries, there's no security need to upgrade at this time.
>
> Full details are available at this github issue [2].
>
>   [1]: https://usn.ubuntu.com/usn/usn-3424-1/
>   [2]: https://github.com/sparklemotion/nokogiri/issues/1673
>
>
> Full changelog entry:
>
> ## Dependencies
>
> * [MRI] libxml2 is updated from 2.9.4 to 2.9.5.
> * [MRI] libxslt is updated from 1.1.29 to 1.1.30.
> * [MRI] optional dependency on the pkg-config gem has had its constraint loosened to `~> 1.1` (from `~> 1.1.7`). [#1660]
> * [MRI] Upgrade mini_portile2 dependency from `~> 2.2.0` to `~> 2.3.0`, which will validate checksums on the vendored libxml2 and libxslt tarballs before using them.
>
>
> ## Bugs
>
> * NodeSet#first with an integer argument longer than the length of the NodeSet now correctly clamps the length of the returned NodeSet to the original length. [#1650] (Thanks, @Derenge!)
> * [MRI] Ensure CData.new raises TypeError if the `content` argument is not implicitly convertible into a string. [#1669]
>
>
> --
> You received this message because you are subscribed to the Google Groups "nokogiri-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-talk+unsubscribe@googlegroups.com.

> To post to this group, send email to nokogi...@googlegroups.com.
> Visit this group at https://groups.google.com/group/nokogiri-talk.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "nokogiri-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-talk+unsubscribe@googlegroups.com.

Walter Lee Davis

unread,
Sep 19, 2017, 11:36:42 PM9/19/17
to nokogi...@googlegroups.com
Thanks for your help. Once I updated rails-dom-testing as well, Nokogiri installed properly. 

Walter
To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-tal...@googlegroups.com.

ga...@500px.com

unread,
Dec 17, 2017, 11:18:09 AM12/17/17
to nokogiri-talk
Am I missing something?

actionpack 4.2.7.1 depends on rails-dom-testing (>= 1.0.5, ~> 1.0) (https://github.com/rails/rails/blob/4-2-stable/actionpack/actionpack.gemspec#L27)

rails-dom-testing's 1.0 branch depends on nokogiri ~> 1.6 (https://github.com/rails/rails-dom-testing/blob/1-0-stable/rails-dom-testing.gemspec#L20)

How did you resolve that?

Gavin
> To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-tal...@googlegroups.com.
> To post to this group, send email to nokogi...@googlegroups.com.
> Visit this group at https://groups.google.com/group/nokogiri-talk.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "nokogiri-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-tal...@googlegroups.com.
To post to this group, send email to nokogi...@googlegroups.com.
Visit this group at https://groups.google.com/group/nokogiri-talk.
For more options, visit https://groups.google.com/d/optout.

Walter Lee Davis

unread,
Dec 17, 2017, 12:07:26 PM12/17/17
to nokogi...@googlegroups.com
> On Dec 15, 2017, at 12:09 PM, ga...@500px.com wrote:
>
> Am I missing something?
>
> actionpack 4.2.7.1 depends on rails-dom-testing (>= 1.0.5, ~> 1.0) (https://github.com/rails/rails/blob/4-2-stable/actionpack/actionpack.gemspec#L27)
>
> rails-dom-testing's 1.0 branch depends on nokogiri ~> 1.6 (https://github.com/rails/rails-dom-testing/blob/1-0-stable/rails-dom-testing.gemspec#L20)
>
> How did you resolve that?
>
> Gavin
>

It looks as though we ran bundle update rails-dom-testing and got 1.0.8, which satisfied everything to get us to Nokogiri 1.8.1. Sorry I don't have more details, this was a while ago.

Walter
Reply all
Reply to author
Forward
0 new messages