Nokogiri v1.13.9 has been released with a security update for CRuby users.
The release notes
<https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.9> are
reproduced here for your convenience.
···
---
1.13.9 / 2022-10-18Security
- [CRuby] Vendored libxml2 is updated to address CVE-2022-2309
<https://nvd.nist.gov/vuln/detail/CVE-2022-2309>, CVE-2022-40304
<https://nvd.nist.gov/vuln/detail/CVE-2022-40304>, and CVE-2022-40303
<https://nvd.nist.gov/vuln/detail/CVE-2022-40303>\. See
GHSA-2qc6-mcvw-92cw
<https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw>
for
more information.
- [CRuby] Vendored zlib is updated to address CVE-2022-37434
<https://ubuntu.com/security/CVE-2022-37434>\. Nokogiri was not affected
by this vulnerability, but this version of zlib was being flagged up by
some vulnerability scanners, see #2626
<Issues · sparklemotion/nokogiri · GitHub; for more
information.
Dependencies
- [CRuby] Vendored libxml2 is updated to v2.10.3
<https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3> from v2.9.14.
- [CRuby] Vendored libxslt is updated to v1.1.37
<https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.37> from v1.1.35.
- [CRuby] Vendored zlib is updated from 1.2.12 to 1.2.13. (See
LICENSE-DEPENDENCIES.md
<nokogiri/LICENSE-DEPENDENCIES.md at v1.13.x · sparklemotion/nokogiri · GitHub;
for
details on which packages redistribute this library.)
Fixed
- [CRuby] Nokogiri::XML::Namespace objects, when compacted, update their
internal struct's reference to the Ruby object wrapper. Previously, with GC
compaction enabled, a segmentation fault was possible after compaction was
triggered. [#2658 <Issues · sparklemotion/nokogiri · GitHub]
(Thanks, @eightbitraptor <https://github.com/eightbitraptor> and
@peterzhu2118 <https://github.com/peterzhu2118>\!\)
- [CRuby] Document#remove_namespaces! now defers freeing the underlying
xmlNs struct until the Document is GCed. Previously, maintaining a
reference to a Namespace object that was removed in this way could lead
to a segfault. [#2658
<Issues · sparklemotion/nokogiri · GitHub]
------------------------------
sha256 checksums:
9b69829561d30c4461ea803baeaf3460e8b145cff7a26ce397119577a4083a02
nokogiri-1.13.9-aarch64-linux.gem
e76ebb4b7b2e02c72b2d1541289f8b0679fb5984867cf199d89b8ef485764956
nokogiri-1.13.9-arm64-darwin.gem
15bae7d08bddeaa898d8e3f558723300137c26a2dc2632a1f89c8574c4467165
nokogiri-1.13.9-java.gem
f6a1dbc7229184357f3129503530af73cc59ceba4932c700a458a561edbe04b9
nokogiri-1.13.9-x64-mingw-ucrt.gem
36d935d799baa4dc488024f71881ff0bc8b172cecdfc54781169c40ec02cbdb3
nokogiri-1.13.9-x64-mingw32.gem
ebaf82aa9a11b8fafb67873d19ee48efb565040f04c898cdce8ca0cd53ff1a12
nokogiri-1.13.9-x86-linux.gem
11789a2a11b28bc028ee111f23311461104d8c4468d5b901ab7536b282504154
nokogiri-1.13.9-x86-mingw32.gem
01830e1646803ff91c0fe94bc768ff40082c6de8cfa563dafd01b3f7d5f9d795
nokogiri-1.13.9-x86_64-darwin.gem
8e93b8adec22958013799c8690d81c2cdf8a90b6f6e8150ab22e11895844d781
nokogiri-1.13.9-x86_64-linux.gem
96f37c1baf0234d3ae54c2c89aef7220d4a8a1b03d2675ff7723565b0a095531
nokogiri-1.13.9.gem