[ANN] nokogiri security update 1.8.1 Released

193 zobrazení

Přeskočit na první nepřečtenou zprávu

Mike Dalessio

nepřečteno,

19. 9. 2017 12:19:0819.09.17

komu: nokogiri-talk, ruby-talk, ruby-sec...@googlegroups.com

nokogiri version 1.8.1 has been released.

This is primarily a security update, wherein the vendored libxml2 and libxslt versions have been updated:

libxml 2.9.5
libxslt 1.1.30

which address the CVEs called out in USN3424-1 [1].

These patches only apply when using Nokogiri's vendored libxml2 library. If you're using your distro's system libraries, there's no security need to upgrade at this time.

Full details are available at this github issue [2].

[1]: https://usn.ubuntu.com/usn/usn-3424-1/

[2]: https://github.com/sparklemotion/nokogiri/issues/1673

Full changelog entry:

## Dependencies

* [MRI] libxml2 is updated from 2.9.4 to 2.9.5.

* [MRI] libxslt is updated from 1.1.29 to 1.1.30.

* [MRI] optional dependency on the pkg-config gem has had its constraint loosened to `~> 1.1` (from `~> 1.1.7`). [#1660]

* [MRI] Upgrade mini_portile2 dependency from `~> 2.2.0` to `~> 2.3.0`, which will validate checksums on the vendored libxml2 and libxslt tarballs before using them.

## Bugs

* NodeSet#first with an integer argument longer than the length of the NodeSet now correctly clamps the length of the returned NodeSet to the original length. [#1650] (Thanks, @Derenge!)

* [MRI] Ensure CData.new raises TypeError if the `content` argument is not implicitly convertible into a string. [#1669]

Odpovědět všem

Odpověď autorovi

Přeposlat

0 nových zpráv