Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade main to libxml 2.9.12 #2235

Merged
merged 18 commits into from May 15, 2021
Merged

upgrade main to libxml 2.9.12 #2235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
f15f045
ci: add a pipeline for v1.11.x
flavorjones May 14, 2021
4fe6b46
test: establish better baseline behavior for MS Word's html format
flavorjones May 14, 2021
ae88370
dep: upgrade libxml2 from 2.9.10 to 2.9.12
flavorjones May 13, 2021
96adf61
patch: remove upstream libxml2 patch 0e1a49c
flavorjones May 14, 2021
e0fb229
patch: remove upstream libxml2 patch afad372
flavorjones May 14, 2021
4ebe886
patch: remove upstream libxml2 patches 29f5d20 and a67b63d
flavorjones May 14, 2021
e73dc80
patch: remove upstream libxml2 patch c1ba6f5
flavorjones May 14, 2021
85ed506
patch: fix whitespace in libxml2 Makefile.in patch
flavorjones May 14, 2021
4d927e3
patch: fix isnan/isinf patch to apply cleanly to libxml 2.9.12
flavorjones May 14, 2021
0feae03
patch: backport libxslt configure.ac change for libxml2 config
flavorjones May 14, 2021
f9d72bb
test: adjust xpath gc test to libxml2's max recursion depth
flavorjones May 14, 2021
458c324
test: remove low-value HTML::SAX::PushParser encoding test
flavorjones May 14, 2021
0e743c8
test: update behavior of namespaces in HTML
flavorjones May 14, 2021
45d07f6
patch: renumber libxml2 patches
flavorjones May 14, 2021
159d695
update CHANGELOG
flavorjones May 14, 2021
630a86f
update CHANGELOG with complete CVE information
flavorjones May 14, 2021
9d6d701
version bump to v1.11.4
flavorjones May 14, 2021
89c8001
update CHANGELOG with the GHSA
flavorjones May 14, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
23 changes: 23 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Expand Up @@ -38,6 +38,29 @@ Many thanks to Sam Ruby, Steve Checkoway, and Craig Barnes for creating and main
* [CRuby] Upgrade mini_portile2 dependency from `~> 2.5.0` to `~> 2.5.1`. ("ruby" platform gem only.)


## 1.11.4 / 2021-05-14

### Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

- [CVE-2019-20388](https://security.archlinux.org/CVE-2019-20388)
- [CVE-2020-24977](https://security.archlinux.org/CVE-2020-24977)
- [CVE-2021-3517](https://security.archlinux.org/CVE-2021-3517)
- [CVE-2021-3518](https://security.archlinux.org/CVE-2021-3518)
- [CVE-2021-3537](https://security.archlinux.org/CVE-2021-3537)
- [CVE-2021-3541](https://security.archlinux.org/CVE-2021-3541)

Note that two additional CVEs were addressed upstream but are not relevant to this release. [CVE-2021-3516](https://security.archlinux.org/CVE-2021-3516) via `xmllint` is not present in Nokogiri, and [CVE-2020-7595](https://security.archlinux.org/CVE-2020-7595) has been patched in Nokogiri since v1.10.8 (see [#1992](https://github.com/sparklemotion/nokogiri/issues/1992)).

Please see [nokogiri/GHSA-7rrm-v45f-jp64 ](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64) or [#2233](https://github.com/sparklemotion/nokogiri/issues/2233) for a more complete analysis of these CVEs and patches.


### Dependencies

* [CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)


## 1.11.3 / 2021-04-07

### Fixed
Expand Down
333 changes: 333 additions & 0 deletions concourse/nokogiri-v1.11.x.yml
View file
Open in desktop
@@ -0,0 +1,333 @@
#@ load("@ytt:template", "template")

#@ load("ruby.star", "cruby_versions")
#@ all_cruby_versions = []
#@ all_cruby_versions.extend(cruby_versions["supported"])
#@ all_cruby_versions.extend(cruby_versions["beta"])

#@ load("ruby.star", "jruby_versions")
#@ all_jruby_versions = []
#@ all_jruby_versions.extend(jruby_versions["supported"])
#@ all_jruby_versions.extend(jruby_versions["beta"])

#@ load("ruby.star", "truffleruby_versions")
#@ all_truffleruby_versions = []
#@ all_truffleruby_versions.extend(truffleruby_versions["supported"])
#@ all_truffleruby_versions.extend(truffleruby_versions["beta"])

---
#@ def registry_image(image_repo, image_tag):
platform: linux
image_resource:
type: registry-image
source:
repository: #@ image_repo
tag: #@ image_tag
#@ end

---
#@ def task_inputs():
- name: nokogiri
path: ci
- name: nokogiri
#@ end

---
% require "common_prelude.rb"

resources:
- name: nokogiri
type: git
icon: "github"
check_every: 5m
webhook_token: ((nokogiri-main-webhook-token))
source:
uri: https://github.com/sparklemotion/nokogiri/
branch: v1.11.x
ignore_paths:
- "*.md"
- "concourse/**"
- "suppressions/**"
- ".github/**"
- "Vagrantfile"


jobs:
#@ job_name = "rubocop"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
- task: rubocop
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "bionic"))
inputs: #@ task_inputs()
run: {path: ci/concourse/tasks/rake-test/rubocop.sh}


#@ job_name = "cruby-on-vanilla-ubuntu"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: ["rubocop"]
- in_parallel:
- task: rake-test
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "bionic"))
inputs: #@ task_inputs()
params: {TEST_WITH_SYSTEM_LIBRARIES: t}
run: {path: ci/concourse/tasks/rake-test/run.sh}
- task: rake-test-32bit
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "bionic32"))
inputs: #@ task_inputs()
params: {TEST_WITH_SYSTEM_LIBRARIES: t}
run: {path: ci/concourse/tasks/rake-test/run.sh}


#@ for ruby_version in all_cruby_versions:
#@ job_name = "cruby-{}".format(ruby_version)
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: ["cruby-on-vanilla-ubuntu"]
- in_parallel:
- task: rake-test-system-libraries
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(ruby_version)))
inputs: #@ task_inputs()
params:
TEST_WITH_SYSTEM_LIBRARIES: t
#@ if ruby_version == cruby_versions["supported"][-1]:
CC_TEST_REPORTER_ID: ((code_climate_reporter_id_nokogiri))
GIT_BRANCH: main
#@ end
run: {path: ci/concourse/tasks/rake-test/run.sh}
- task: rake-test-vendored-libraries
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(ruby_version)))
inputs: #@ task_inputs()
run: {path: ci/concourse/tasks/rake-test/run.sh}
- task: rake-test-valgrind
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(ruby_version)))
inputs: #@ task_inputs()
params: {TEST_WITH_VALGRIND: t}
run: {path: ci/concourse/tasks/rake-test/run.sh}
#@ end


#@ for ruby_version in all_jruby_versions:
#@ job_name = "jruby-{}".format(ruby_version)
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: ["cruby-on-vanilla-ubuntu"]
- task: rake-test
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "jruby-{}".format(ruby_version)))
inputs: #@ task_inputs()
run: {path: ci/concourse/tasks/rake-test/run.sh}
#@ end


#@ job_name = "cruby-on-musl"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: #@ ["cruby-{}".format(ruby_version) for ruby_version in cruby_versions["supported"]]
- in_parallel:
- task: rake-test-system-libraries
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "alpine"))
inputs: #@ task_inputs()
run: {path: ci/concourse/tasks/rake-test/run.sh}
params: {TEST_WITH_SYSTEM_LIBRARIES: t}
- task: rake-test-valgrind
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "alpine"))
inputs: #@ task_inputs()
run: {path: ci/concourse/tasks/rake-test/run.sh}
params: {TEST_WITH_VALGRIND: t}


#@ job_name = "cruby-with-libxmlruby"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: #@ ["cruby-{}".format(ruby_version) for ruby_version in cruby_versions["supported"]]
- in_parallel:
- task: rake-test-system-libraries
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(cruby_versions["supported"][-1])))
inputs: #@ task_inputs()
params:
BUNDLE_GEMFILE: "Gemfile-libxml-ruby"
TEST_WITH_SYSTEM_LIBRARIES: t
run: {path: ci/concourse/tasks/rake-test/run.sh}
- task: rake-test-valgrind
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(cruby_versions["supported"][-1])))
inputs: #@ task_inputs()
params:
BUNDLE_GEMFILE: "Gemfile-libxml-ruby"
TEST_WITH_VALGRIND: t
run: {path: ci/concourse/tasks/rake-test/run.sh}


#@ job_name = "cruby-gem-test"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: #@ ["cruby-{}".format(ruby_version) for ruby_version in cruby_versions["supported"]]
- task: build
config:
"_": #@ template.replace(registry_image("larskanis/rake-compiler-dock-mri-x86_64-linux", "<%= RakeCompilerDock::IMAGE_VERSION %>"))
inputs: #@ task_inputs()
outputs: [{name: gems}]
run: {path: ci/concourse/tasks/gem-test/gem-build.sh}
- in_parallel:
- task: install-and-test
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-{}".format(cruby_versions["supported"][-1])))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}
- task: install-and-test-on-musl
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "alpine"))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}


#@ job_name = "cruby-native-gem-test"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
version: every
passed: #@ ["cruby-{}".format(ruby_version) for ruby_version in cruby_versions["supported"]]
- task: build
config:
"_": #@ template.replace(registry_image("larskanis/rake-compiler-dock-mri-x86_64-linux", "<%= RakeCompilerDock::IMAGE_VERSION %>"))
inputs: #@ task_inputs()
outputs: [{name: gems}]
params: {BUILD_NATIVE_GEM: "x86_64-linux"}
run: {path: ci/concourse/tasks/gem-test/gem-build.sh}
- in_parallel:
<% $native_ruby_versions.each do |ruby_version| %>
- task: install-and-test-<%= ruby_version %>
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "mri-<%= ruby_version %>"))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}
<% end %>
- task: install-and-test-on-musl
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "alpine"))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}


#@ job_name = "cruby-native-gem-test-32bit"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
version: every
passed: #@ ["cruby-{}".format(ruby_version) for ruby_version in cruby_versions["supported"]]
- task: build
config:
"_": #@ template.replace(registry_image("larskanis/rake-compiler-dock-mri-x86-linux", "<%= RakeCompilerDock::IMAGE_VERSION %>"))
inputs: #@ task_inputs()
outputs: [{name: gems}]
params: {BUILD_NATIVE_GEM: "x86-linux"}
run: {path: ci/concourse/tasks/gem-test/gem-build.sh}
- in_parallel:
- task: install-and-test-on-vanilla-ubuntu-32bit
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "bionic32"))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}
- task: install-and-test-on-musl-32bit
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "alpine32"))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}


#@ job_name = "jruby-gem-test"
- name: #@ job_name
public: true
plan:
- get: nokogiri
trigger: true
passed: #@ ["jruby-{}".format(ruby_version) for ruby_version in jruby_versions["supported"]]
- task: build
config:
"_": #@ template.replace(registry_image("larskanis/rake-compiler-dock-jruby", "<%= RakeCompilerDock::IMAGE_VERSION %>"))
inputs: #@ task_inputs()
outputs: [{name: gems}]
run: {path: ci/concourse/tasks/gem-test/gem-build-java.sh}
- task: install-and-test
config:
"_": #@ template.replace(registry_image("flavorjones/nokogiri-test", "jruby-{}".format(jruby_versions["supported"][-1])))
inputs:
- name: nokogiri
path: ci
- name: nokogiri
- name: gems
run: {path: ci/concourse/tasks/gem-test/gem-install-and-test.sh}


- name: build-success
public: true
disable_manual_trigger: true
plan:
- get: nokogiri
trigger: true
version: every
passed:
- cruby-on-musl
- cruby-with-libxmlruby
- cruby-gem-test
- cruby-native-gem-test
- jruby-gem-test