Nokogiri v1.13.4 has been released, with multiple security updates for both
CRuby and JRuby users.
The changelog entry
<Release 1.13.4 / 2022-04-11 · sparklemotion/nokogiri · GitHub> is
reproduced here for your convenience, and interested readers are encouraged
to click through to the security advisories for more details.
···
---
1.13.4 / 2022-04-11Security
- Address CVE-2022-24836
<NVD - CVE-2022-24836>, a regular expression
denial-of-service vulnerability. See GHSA-crjr-9rc5-ghw8
<Inefficient Regular Expression Complexity in Nokogiri · Advisory · sparklemotion/nokogiri · GitHub>
for
more information.
- [CRuby] Vendored zlib is updated to address CVE-2018-25032
<NVD - CVE-2018-25032>. See
GHSA-v6gp-9mmm-c6p5
<Update packaged zlib from 1.2.11 to 1.2.12 · Advisory · sparklemotion/nokogiri · GitHub>
for
more information.
- [JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated to address
CVE-2022-23437 <NVD - CVE-2022-23437>. See
GHSA-xxx9-3xcr-gjj3
<Update packaged Xerces Java from 2.12.0 to 2.12.2 · Advisory · sparklemotion/nokogiri · GitHub>
for
more information.
- [JRuby] Vendored nekohtml (org.cyberneko.html) is updated to address
CVE-2022-24839 <NVD - CVE-2022-24839>. See
GHSA-gx8x-g87m-h5q6
<Denial of Service (DoS) in Nokogiri on JRuby · Advisory · sparklemotion/nokogiri · GitHub>
for
more information.
Dependencies
- [CRuby] Vendored zlib is updated from 1.2.11 to 1.2.12. (See
LICENSE-DEPENDENCIES.md
<nokogiri/LICENSE-DEPENDENCIES.md at v1.13.x · sparklemotion/nokogiri · GitHub>
for
details on which packages redistribute this library.)
- [JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated from 2.12.0
to 2.12.2.
- [JRuby] Vendored nekohtml (org.cyberneko.html) is updated from a fork
of 1.9.21 to 1.9.22.noko2. This fork is now publicly developed at
GitHub - sparklemotion/nekohtml: mirror/fork of http://sourceforge.net/p/nekohtml/code/HEAD/tree/