Skip to content

Commit

Permalink
Merge pull request #2235 from sparklemotion/2233-upgrade-to-libxml-2-…
Browse files Browse the repository at this point in the history 
…9-12

upgrade `main` to libxml 2.9.12
  • Loading branch information
@flavorjones
flavorjones committed May 15, 2021
2 parents 051b193 + 89c8001 commit 7df5d3c
Show file tree
Hide file tree
Showing 21 changed files with 1,128 additions and 394 deletions.
23 changes: 23 additions & 0 deletions CHANGELOG.md
View file
Expand Up @@ -38,6 +38,29 @@ Many thanks to Sam Ruby, Steve Checkoway, and Craig Barnes for creating and main
* [CRuby] Upgrade mini_portile2 dependency from `~> 2.5.0` to `~> 2.5.1`. ("ruby" platform gem only.)


## 1.11.4 / 2021-05-14

### Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

- [CVE-2019-20388](https://security.archlinux.org/CVE-2019-20388)
- [CVE-2020-24977](https://security.archlinux.org/CVE-2020-24977)
- [CVE-2021-3517](https://security.archlinux.org/CVE-2021-3517)
- [CVE-2021-3518](https://security.archlinux.org/CVE-2021-3518)
- [CVE-2021-3537](https://security.archlinux.org/CVE-2021-3537)
- [CVE-2021-3541](https://security.archlinux.org/CVE-2021-3541)

Note that two additional CVEs were addressed upstream but are not relevant to this release. [CVE-2021-3516](https://security.archlinux.org/CVE-2021-3516) via `xmllint` is not present in Nokogiri, and [CVE-2020-7595](https://security.archlinux.org/CVE-2020-7595) has been patched in Nokogiri since v1.10.8 (see [#1992](https://github.com/sparklemotion/nokogiri/issues/1992)).

Please see [nokogiri/GHSA-7rrm-v45f-jp64 ](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64) or [#2233](https://github.com/sparklemotion/nokogiri/issues/2233) for a more complete analysis of these CVEs and patches.


### Dependencies

* [CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)


## 1.11.3 / 2021-04-07

### Fixed
Expand Down
333 changes: 333 additions & 0 deletions concourse/nokogiri-v1.11.x.yml
View file
@@ -0,0 +1,333 @@
#@ load("@ytt:template", "template")

#@ load("ruby.star", "cruby_versions")
#@ all_cruby_versions = []
#@ all_cruby_versions.extend(cruby_versions["supported"])
#@ all_cruby_versions.extend(cruby_versions["beta"])

#@ load("ruby.star", "jruby_versions")
#@ all_jruby_versions = []
#@ all_jruby_versions.extend(jruby_versions["supported"])
#@ all_jruby_versions.extend(jruby_versions["beta"])

#@ load("ruby.star", "truffleruby_versions")
#@ all_truffleruby_versions = []
#@ all_truffleruby_versions.extend(truffleruby_versions["supported"])
#@ all_truffleruby_versions.extend(truffleruby_versions["beta"])

---
#@ def registry_image(image_repo, image_tag):
platform: linux
image_resource:
type: registry-image
source:
repository: #@ image_repo
tag: #@ image_tag
#@ end

---
#@ def task_inputs():
- name: nokogiri
path: ci
- name: nokogiri
#@ end

---
% require "common_prelude.rb"

resources:
- name: nokogiri
type: git
icon: "github"
check_every: 5m
webhook_token: ((nokogiri-main-webhook-token))
source:
uri: https://github.com/sparklemotion/nokogiri/
branch: v1.11.x
ignore_paths:
- "*.md"
- "concourse/**"
- "suppressions/**"
- ".github/**"
- "Vagrantfile"


jobs:
#@ job_name = "rubocop"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
- task: rubocop
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "bionic"))
inputs: #@ task_inputs()
run: {path: ci/concourse/tasks/rake-test/rubocop.sh}


#@ job_name = "cruby-on-vanilla-ubuntu"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: ["rubocop"]
- in_parallel:
- task: rake-test
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "bionic"))
inputs: #@ task_inputs()
params: {TEST_WITH_SYSTEM_LIBRARIES: t}
run: {path: ci/concourse/tasks/rake-test/run.sh}
- task: rake-test-32bit
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "bionic32"))
inputs: #@ task_inputs()
params: {TEST_WITH_SYSTEM_LIBRARIES: t}
run: {path: ci/concourse/tasks/rake-test/run.sh}


#@ for ruby_version in all_cruby_versions:
#@ job_name = "cruby-{}".format(ruby_version)
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: ["cruby-on-vanilla-ubuntu"]
- in_parallel:
- task: rake-test-system-libraries
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(ruby_version)))
inputs: #@ task_inputs()
params:
TEST_WITH_SYSTEM_LIBRARIES: t
#@ if ruby_version == cruby_versions["supported"][-1]:
CC_TEST_REPORTER_ID: ((code_climate_reporter_id_nokogiri))
GIT_BRANCH: main
#@ end
run: {path: ci/concourse/tasks/rake-test/run.sh}
- task: rake-test-vendored-libraries
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(ruby_version)))
inputs: #@ task_inputs()
run: {path: ci/concourse/tasks/rake-test/run.sh}
- task: rake-test-valgrind
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(ruby_version)))
inputs: #@ task_inputs()
params: {TEST_WITH_VALGRIND: t}
run: {path: ci/concourse/tasks/rake-test/run.sh}
#@ end


#@ for ruby_version in all_jruby_versions:
#@ job_name = "jruby-{}".format(ruby_version)
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: ["cruby-on-vanilla-ubuntu"]
- task: rake-test
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "jruby-{}".format(ruby_version)))
inputs: #@ task_inputs()
run: {path: ci/concourse/tasks/rake-test/run.sh}
#@ end


#@ job_name = "cruby-on-musl"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: #@ ["cruby-{}".format(ruby_version) for ruby_version in cruby_versions["supported"]]
- in_parallel:
- task: rake-test-system-libraries
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "alpine"))
inputs: #@ task_inputs()
run: {path: ci/concourse/tasks/rake-test/run.sh}
params: {TEST_WITH_SYSTEM_LIBRARIES: t}
- task: rake-test-valgrind
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "alpine"))
inputs: #@ task_inputs()
run: {path: ci/concourse/tasks/rake-test/run.sh}
params: {TEST_WITH_VALGRIND: t}


#@ job_name = "cruby-with-libxmlruby"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: #@ ["cruby-{}".format(ruby_version) for ruby_version in cruby_versions["supported"]]
- in_parallel:
- task: rake-test-system-libraries
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(cruby_versions["supported"][-1])))
inputs: #@ task_inputs()
params:
BUNDLE_GEMFILE: "Gemfile-libxml-ruby"
TEST_WITH_SYSTEM_LIBRARIES: t
run: {path: ci/concourse/tasks/rake-test/run.sh}
- task: rake-test-valgrind
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(cruby_versions["supported"][-1])))
inputs: #@ task_inputs()
params:
BUNDLE_GEMFILE: "Gemfile-libxml-ruby"
TEST_WITH_VALGRIND: t
run: {path: ci/concourse/tasks/rake-test/run.sh}


#@ job_name = "cruby-gem-test"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: #@ ["cruby-{}".format(ruby_version) for ruby_version in cruby_versions["supported"]]
- task: build
config:
"_": #@ template.replace(registry_image("larskanis/rake-compiler-dock-mri-x86_64-linux", "<%= RakeCompilerDock::IMAGE_VERSION %>"))
inputs: #@ task_inputs()
outputs: [{name: gems}]
run: {path: ci/concourse/tasks/gem-test/gem-build.sh}
- in_parallel:
- task: install-and-test
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(cruby_versions["supported"][-1])))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}
- task: install-and-test-on-musl
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "alpine"))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}


#@ job_name = "cruby-native-gem-test"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
version: every
passed: #@ ["cruby-{}".format(ruby_version) for ruby_version in cruby_versions["supported"]]
- task: build
config:
"_": #@ template.replace(registry_image("larskanis/rake-compiler-dock-mri-x86_64-linux", "<%= RakeCompilerDock::IMAGE_VERSION %>"))
inputs: #@ task_inputs()
outputs: [{name: gems}]
params: {BUILD_NATIVE_GEM: "x86_64-linux"}
run: {path: ci/concourse/tasks/gem-test/gem-build.sh}
- in_parallel:
<% $native_ruby_versions.each do |ruby_version| %>
- task: install-and-test-<%= ruby_version %>
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-<%= ruby_version %>"))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}
<% end %>
- task: install-and-test-on-musl
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "alpine"))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}


#@ job_name = "cruby-native-gem-test-32bit"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
version: every
passed: #@ ["cruby-{}".format(ruby_version) for ruby_version in cruby_versions["supported"]]
- task: build
config:
"_": #@ template.replace(registry_image("larskanis/rake-compiler-dock-mri-x86-linux", "<%= RakeCompilerDock::IMAGE_VERSION %>"))
inputs: #@ task_inputs()
outputs: [{name: gems}]
params: {BUILD_NATIVE_GEM: "x86-linux"}
run: {path: ci/concourse/tasks/gem-test/gem-build.sh}
- in_parallel:
- task: install-and-test-on-vanilla-ubuntu-32bit
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "bionic32"))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}
- task: install-and-test-on-musl-32bit
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "alpine32"))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}


#@ job_name = "jruby-gem-test"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: #@ ["jruby-{}".format(ruby_version) for ruby_version in jruby_versions["supported"]]
- task: build
config:
"_": #@ template.replace(registry_image("larskanis/rake-compiler-dock-jruby", "<%= RakeCompilerDock::IMAGE_VERSION %>"))
inputs: #@ task_inputs()
outputs: [{name: gems}]
run: {path: ci/concourse/tasks/gem-test/gem-build-java.sh}
- task: install-and-test
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "jruby-{}".format(jruby_versions["supported"][-1])))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}


- name: build-success
public: true
disable_manual_trigger: true
plan:
- get: nokogiri
trigger: true
version: every
passed:
- cruby-on-musl
- cruby-with-libxmlruby
- cruby-gem-test
- cruby-native-gem-test
- jruby-gem-test

0 comments on commit 7df5d3c

Please sign in to comment.