Skip to content

Commit

Permalink
dep: update libxml to 2.11.7 (branch 1.15.x) (#3154)
Browse files Browse the repository at this point in the history
**What problem is this PR intended to solve?**

In #3146,
@jamiemccarthy requested a security release on the v1.15.x branch to
address CVE-2024-25062 which was fixed in v1.16.2 with an upgrade to
libxml 2.12.5.

This PR attempts to upgrade the v1.15.x branch to [libxml
2.11.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.7) (from
2.11.6) which also addresses that vulnerability.

Also see related
GHSA-xc9x-jj77-9p9j
  • Loading branch information
flavorjones authored Mar 16, 2024
2 parents 5745d4b + 9827619 commit f8156b4
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 7 deletions.
13 changes: 13 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,19 @@ Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [REA

---

## 1.15.next / unreleased

### Security

* [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See [GHSA-xc9x-jj77-9p9j](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j) for more information.


### Dependencies

* [CRuby] Vendored libxml2 is updated to v2.11.7 from v2.11.6. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.7



## 1.15.5 / 2023-11-17

### Dependencies
Expand Down
7 changes: 3 additions & 4 deletions dependencies.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@

libxml2:
version: "2.11.6"
sha256: "c90eee7506764abbe07bb616b82da452529609815aefef423d66ef080eb0c300"
# sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.11/libxml2-2.11.6.sha256sum
version: "2.11.7"
sha256: "fb27720e25eaf457f94fd3d7189bcf2626c6dccf4201553bc8874d50e3560162"
# sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.11/libxml2-2.11.7.sha256sum

libxslt:
version: "1.1.39"
Expand Down
4 changes: 1 addition & 3 deletions scripts/test-gem-install
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,7 @@ if [ -n "${BUNDLE_APP_CONFIG:-}" ] ; then
export BUNDLE_CACHE_PATH="${BUNDLE_APP_CONFIG}/cache"
fi

# 2.3.21 because https://github.com/rubygems/rubygems/issues/5914
# 2.3.22 because https://github.com/rubygems/rubygems/issues/5940
gem install bundler -v "~> 2.2, != 2.3.21, != 2.3.22"
gem install bundler -v "2.4.22" # should work fine on ruby 2.7 and above
bundle install --local || bundle install

rm -rf lib ext # ensure we don't use the local files
Expand Down

0 comments on commit f8156b4

Please sign in to comment.