Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to libxml2 2.9.14 #2525

Closed
8 tasks done
flavorjones opened this issue May 2, 2022 · 5 comments
Closed
8 tasks done

Update to libxml2 2.9.14 #2525

flavorjones opened this issue May 2, 2022 · 5 comments
Labels
topic/security upstream/libxml2

Comments

@flavorjones
Copy link
Member

flavorjones commented May 2, 2022
edited

libxml2 v2.9.14 was released today:

https://gitlab.gnome.org/GNOME/libxml2/-/releases

This ticket has been opened to drive the work to update to that version of libxml2 in the packaged libraries that are vendored with nokogiri. It will be released as v1.13.5. There will also be a GHSA published to reflect the fact that CVE-2022-29824 is fixed in v2.9.14.

Punchlist:
@stevecheckoway
Copy link
Contributor

One thing to think about with respect to the GitHub Advisory is the level of detail included. @noncombatant makes a persuasive case about The Poor State Of Information contained in CVEs and the need (as an industry) to do better.

@flavorjones
Copy link
Member Author

@stevecheckoway Yup, I agree and that's why I want to spend some time evaluating whether and how the CVE is exploitable via Nokogiri, and will post more information in the GHSA

@flavorjones
Copy link
Member Author

Also see https://mail.gnome.org/archives/xml/2022-February/msg00014.html for a prior conversation I had with the libxml2 maintainer about this.

@stevecheckoway
Copy link
Contributor

Great!

This was referenced May 2, 2022
Merged
Merged
flavorjones added a commit that referenced this issue May 4, 2022
@flavorjones
Merge pull request #2526 from sparklemotion/2525-update-libxml-2_9_14…
c9b9201 
…-main

dep: update libxml2 to v2.9.14 (main branch)

---

**What problem is this PR intended to solve?**

Update libxml2 to v2.9.14 rom v2.9.13, see #2525 

> https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14

Also ensure that tests pass against upstream libxml2 (#2468).

**Have you included adequate test coverage?**

This PR updates tests to reflect the difference in how incorrectly-opened comments are handled in this release.


**Does this change affect the behavior of either the C or the Java implementations?**

The C native implementation handling of incorrectly-opened comments is different from previous and different from the JRuby implementation's handling. These differences are fully captured and explained in the test suite.
This was referenced May 4, 2022
Merged
Merged
@flavorjones
Copy link
Member Author

Punchlist complete, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic/security upstream/libxml2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flavorjones @stevecheckoway