zipsell
zipsell copied to clipboard
[Security] Bump nokogiri from 1.8.4 to 1.8.5
Bumps nokogiri from 1.8.4 to 1.8.5. This update includes security fixes.
Vulnerabilities fixed
Sourced from The Ruby Advisory Database.
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Nokogiri 1.8.5 has been released.
This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below.
If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
Full details about the security update are available in Github Issue #1785. [#1785]: https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785
[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
... (truncated)Patched versions: >= 1.8.5 Unaffected versions: none
Changelog
Sourced from nokogiri's changelog.
1.8.5 / 2018-10-04
Security Notes
[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
Bug fixes
- [MRI] Fix regression in installation when building against system libraries, where some systems would not be able to find libxml2 or libxslt when present. (Regression introduced in v1.8.3.) [#1722]
- [JRuby] Fix node reparenting when the destination doc is empty. [#1773]
Commits
-
e28fa4b
version bump to v1.8.5 -
712edef
update changelog -
7feb4c1
Merge branch 'fix-1773' -
7cc6cf6
Organize imports in XmlNode.java. -
1697442
Allow reparenting nodes to be a child of an empty document. -
7b8cd0f
Merge pull request #1786 from sparklemotion/1785-canonical-usns -
5bff4bb
pull in upstream libxml2 patches -
c232226
changelog -
862b88f
changelog -
b3750eb
remove-Wextra
CFLAG - Additional commits viewable in compare view
(This is an example of the kind of PRs Dependabot creates, so you can see it in action alongside #5. It won't automatically rebase or any of the clever stuff Dependabot normally does because I've manually copied it across, though.)