New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to libxml2 2.9.14 #2525
Comments
One thing to think about with respect to the GitHub Advisory is the level of detail included. @noncombatant makes a persuasive case about The Poor State Of Information contained in CVEs and the need (as an industry) to do better. |
@stevecheckoway Yup, I agree and that's why I want to spend some time evaluating whether and how the CVE is exploitable via Nokogiri, and will post more information in the GHSA |
Also see https://mail.gnome.org/archives/xml/2022-February/msg00014.html for a prior conversation I had with the libxml2 maintainer about this. |
Great! |
…-main dep: update libxml2 to v2.9.14 (main branch) --- **What problem is this PR intended to solve?** Update libxml2 to v2.9.14 rom v2.9.13, see #2525 > https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14 Also ensure that tests pass against upstream libxml2 (#2468). **Have you included adequate test coverage?** This PR updates tests to reflect the difference in how incorrectly-opened comments are handled in this release. **Does this change affect the behavior of either the C or the Java implementations?** The C native implementation handling of incorrectly-opened comments is different from previous and different from the JRuby implementation's handling. These differences are fully captured and explained in the test suite.
Punchlist complete, closing. |
libxml2 v2.9.14 was released today:
https://gitlab.gnome.org/GNOME/libxml2/-/releases
This ticket has been opened to drive the work to update to that version of libxml2 in the packaged libraries that are vendored with nokogiri. It will be released as v1.13.5. There will also be a GHSA published to reflect the fact that CVE-2022-29824 is fixed in v2.9.14.
Punchlist:
main
to handle libxml2master
#2468loofah
andrails-html-sanitizer
investigate if test suite for(uses Nokogiri::HTML5 so no need)sanitize
needs to be update, tooThe text was updated successfully, but these errors were encountered: