[ruby-talk:443085] [ANN] Nokogiri security update v1.13.9

Nokogiri v1.13.9 has been released with a security update for CRuby users.

The release notes
<https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.9&gt; are
reproduced here for your convenience.

···

---

1.13.9 / 2022-10-18Security

   - [CRuby] Vendored libxml2 is updated to address CVE-2022-2309
   <https://nvd.nist.gov/vuln/detail/CVE-2022-2309&gt;, CVE-2022-40304
   <https://nvd.nist.gov/vuln/detail/CVE-2022-40304&gt;, and CVE-2022-40303
   <https://nvd.nist.gov/vuln/detail/CVE-2022-40303&gt;\. See
   GHSA-2qc6-mcvw-92cw
   <https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw&gt;
for
   more information.
   - [CRuby] Vendored zlib is updated to address CVE-2022-37434
   <https://ubuntu.com/security/CVE-2022-37434&gt;\. Nokogiri was not affected
   by this vulnerability, but this version of zlib was being flagged up by
   some vulnerability scanners, see #2626
   <Issues · sparklemotion/nokogiri · GitHub; for more
   information.

Dependencies

   - [CRuby] Vendored libxml2 is updated to v2.10.3
   <https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3&gt; from v2.9.14.
   - [CRuby] Vendored libxslt is updated to v1.1.37
   <https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.37&gt; from v1.1.35.
   - [CRuby] Vendored zlib is updated from 1.2.12 to 1.2.13. (See
   LICENSE-DEPENDENCIES.md
   <nokogiri/LICENSE-DEPENDENCIES.md at v1.13.x · sparklemotion/nokogiri · GitHub;
for
   details on which packages redistribute this library.)

Fixed

   - [CRuby] Nokogiri::XML::Namespace objects, when compacted, update their
   internal struct's reference to the Ruby object wrapper. Previously, with GC
   compaction enabled, a segmentation fault was possible after compaction was
   triggered. [#2658 <Issues · sparklemotion/nokogiri · GitHub]
   (Thanks, @eightbitraptor <https://github.com/eightbitraptor&gt; and
   @peterzhu2118 <https://github.com/peterzhu2118&gt;\!\)
   - [CRuby] Document#remove_namespaces! now defers freeing the underlying
   xmlNs struct until the Document is GCed. Previously, maintaining a
   reference to a Namespace object that was removed in this way could lead
   to a segfault. [#2658
   <Issues · sparklemotion/nokogiri · GitHub]

------------------------------

sha256 checksums:

9b69829561d30c4461ea803baeaf3460e8b145cff7a26ce397119577a4083a02
nokogiri-1.13.9-aarch64-linux.gem
e76ebb4b7b2e02c72b2d1541289f8b0679fb5984867cf199d89b8ef485764956
nokogiri-1.13.9-arm64-darwin.gem
15bae7d08bddeaa898d8e3f558723300137c26a2dc2632a1f89c8574c4467165
nokogiri-1.13.9-java.gem
f6a1dbc7229184357f3129503530af73cc59ceba4932c700a458a561edbe04b9
nokogiri-1.13.9-x64-mingw-ucrt.gem
36d935d799baa4dc488024f71881ff0bc8b172cecdfc54781169c40ec02cbdb3
nokogiri-1.13.9-x64-mingw32.gem
ebaf82aa9a11b8fafb67873d19ee48efb565040f04c898cdce8ca0cd53ff1a12
nokogiri-1.13.9-x86-linux.gem
11789a2a11b28bc028ee111f23311461104d8c4468d5b901ab7536b282504154
nokogiri-1.13.9-x86-mingw32.gem
01830e1646803ff91c0fe94bc768ff40082c6de8cfa563dafd01b3f7d5f9d795
nokogiri-1.13.9-x86_64-darwin.gem
8e93b8adec22958013799c8690d81c2cdf8a90b6f6e8150ab22e11895844d781
nokogiri-1.13.9-x86_64-linux.gem
96f37c1baf0234d3ae54c2c89aef7220d4a8a1b03d2675ff7723565b0a095531
nokogiri-1.13.9.gem