From ca92e48b0c7c85bed1cbc42845cae8ccad57fce1 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Sat, 27 Jul 2024 13:38:59 -0400 Subject: [PATCH] dep: update packaged libxml2 to v2.12.9 Addresses CVE-2024-40896 which Nokogiri maintainers believe does not affect Nokogiri users. --- CHANGELOG.md | 7 +++++++ dependencies.yml | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a15c341355..e18f09fe5a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,13 @@ Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [REA --- +## v1.16.next / unreleased + +## Dependencies + +* [CRuby] Vendored libxml2 is updated to [v2.12.9](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.9), which the upstream release notes state is a security release to address CVE-2024-40896. Nokogiri's maintainers believe this vulnerability does not affect users of Nokogiri, but we advise upgrading at your earliest convenience anyway. + + ## v1.16.6 / 2024-06-13 ## Dependencies diff --git a/dependencies.yml b/dependencies.yml index 950d77a71e..1ea4b78da9 100644 --- a/dependencies.yml +++ b/dependencies.yml @@ -1,8 +1,8 @@ --- libxml2: - version: "2.12.8" - sha256: "43ad877b018bc63deb2468d71f95219c2fac196876ef36d1bee51d226173ec93" - # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.12/libxml2-2.12.8.sha256sum + version: "2.12.9" + sha256: "59912db536ab56a3996489ea0299768c7bcffe57169f0235e7f962a91f483590" + # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.12/libxml2-2.12.9.sha256sum libxslt: version: "1.1.39"