[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
depfu[bot]
commented
3 years ago
🚨 Your version of nokogiri has known security vulnerabilities 🚨
Advisory: CVE-2020-7595 Disclosed: February 10, 2020 URL: https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7595.html
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ nokogiri (indirect, 1.10.5 → 1.10.8) · Repo · Changelog
Release Notes
1.10.8
1.10.7
1.10.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 14 commits:
version bump to v1.10.8update CHANGELOG for v1.10.8remove patches from the hoe Manifestupdate to use rake-compiler ~1.1.0backport libxml2 patch for CVE-2020-7595version bump to v1.10.7update CHANGELOGFix the patch from #1953 to work with both `git` and `patch`Fix typo in generated metadataadd gem metadataversion bump to v1.10.6update CHANGELOGAdd a patch to fix libxml2.la's pathadd security note to CHANGELOGDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands