Nokogiri v1.10.8 was released on 2020-02-10.
This is a security release. It addresses a CVE in upstream libxml2 rated as
"medium" by Red Hat, for which details are below.
If you are using Nokogiri <= v1.10.7, please upgrade to v1.10.8 or later.
If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that this patch is not yet
(as of 2020-02-10) in an upstream release of libxml2.
Full details about the security update are available in Github issue
[#1992].
[#1992]: https://github.com/sparklemotion/nokogiri/issues/1992
···
---
## 1.10.8 / 2020-02-10
### Security
[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595.
Full details are available in [#1992](
https://github.com/sparklemotion/nokogiri/issues/1992). Note that this
patch is not yet (as of 2020-02-10) in an upstream release of libxml.
---
### CVE-2020-7595
permalink:
bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949582
description:
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite
loop in a certain end-of-file situation.
priority: __medium__
fix commit: