[ANN] nokogiri security update 1.8.1 Released

193 views

Skip to first unread message

Mike Dalessio

unread,

Sep 19, 2017, 12:19:08 PM9/19/17

to nokogiri-talk, ruby-talk, ruby-sec...@googlegroups.com

nokogiri version 1.8.1 has been released.

This is primarily a security update, wherein the vendored libxml2 and libxslt versions have been updated:

libxml 2.9.5
libxslt 1.1.30

which address the CVEs called out in USN3424-1 [1].

These patches only apply when using Nokogiri's vendored libxml2 library. If you're using your distro's system libraries, there's no security need to upgrade at this time.

Full details are available at this github issue [2].

[1]: https://usn.ubuntu.com/usn/usn-3424-1/

[2]: https://github.com/sparklemotion/nokogiri/issues/1673

Full changelog entry:

## Dependencies

* [MRI] libxml2 is updated from 2.9.4 to 2.9.5.

* [MRI] libxslt is updated from 1.1.29 to 1.1.30.

* [MRI] optional dependency on the pkg-config gem has had its constraint loosened to `~> 1.1` (from `~> 1.1.7`). [#1660]

* [MRI] Upgrade mini_portile2 dependency from `~> 2.2.0` to `~> 2.3.0`, which will validate checksums on the vendored libxml2 and libxslt tarballs before using them.

## Bugs

* NodeSet#first with an integer argument longer than the length of the NodeSet now correctly clamps the length of the returned NodeSet to the original length. [#1650] (Thanks, @Derenge!)

* [MRI] Ensure CData.new raises TypeError if the `content` argument is not implicitly convertible into a string. [#1669]

Reply all

Reply to author

Forward

0 new messages