[Security] Bump nokogiri from 1.8.4 to 1.8.5

[greysteil]

Bumps nokogiri from 1.8.4 to 1.8.5. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Nokogiri 1.8.5 has been released.

This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

Full details about the security update are available in Github Issue #1785. [#1785]: https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785

---

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

... (truncated)

Patched versions: >= 1.8.5 Unaffected versions: none

Changelog

Sourced from nokogiri's changelog.

1.8.5 / 2018-10-04

Security Notes

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

Bug fixes

• [MRI] Fix regression in installation when building against system libraries, where some systems would not be able to find libxml2 or libxslt when present. (Regression introduced in v1.8.3.) [#1722]
• [JRuby] Fix node reparenting when the destination doc is empty. [#1773]

Commits

• e28fa4b version bump to v1.8.5
• 712edef update changelog
• 7feb4c1 Merge branch 'fix-1773'
• 7cc6cf6 Organize imports in XmlNode.java.
• 1697442 Allow reparenting nodes to be a child of an empty document.
• 7b8cd0f Merge pull request #1786 from sparklemotion/1785-canonical-usns
• 5bff4bb pull in upstream libxml2 patches
• c232226 changelog
• 862b88f changelog
• b3750eb remove -Wextra CFLAG
• Additional commits viewable in compare view

(This is an example of the kind of PRs Dependabot creates, so you can see it in action alongside #5. It won't automatically rebase or any of the clever stuff Dependabot normally does because I've manually copied it across, though.)