version 3.9.0

CVE.md

@@ -6,8 +6,9 @@
 
 | CVE                                                               | Description |
 |-------------------------------------------------------------------|-----------------|
+| [CVE-2023-49093](https://nvd.nist.gov/vuln/detail/CVE-2023-49093) | HtmlUnit suffers from a remote code execution via XSLT vulnerability on versions 3.8.0 and below. Please update to at least version 3.9.0. |
 | [CVE-2023-2798](https://nvd.nist.gov/vuln/detail/CVE-2023-2798)   | HtmlUnit suffers from a denial of service vulnerability on versions 2.69.0 and below. Please update to at least version 2.70.0. |
-| [CVE-2023-26119](https://nvd.nist.gov/vuln/detail/CVE-2023-26119) | HtmlUnit suffers from a remote code execution via XSTL vulnerability on versions 2.70.0 and below. Please update to at least version 3.1.0. |
-| [CVE-2022-29546](https://nvd.nist.gov/vuln/detail/CVE-2022-29546) | HtmlUnit NekoHtml Parser suffers from a remote code execution via XSTL vulnerability on versions 2.60.0 and below. Please update to at least version 2.70.0 or 3.1.0 |
+| [CVE-2023-26119](https://nvd.nist.gov/vuln/detail/CVE-2023-26119) | HtmlUnit suffers from a remote code execution via XSLT vulnerability on versions 2.70.0 and below. Please update to at least version 3.1.0. |
+| [CVE-2022-29546](https://nvd.nist.gov/vuln/detail/CVE-2022-29546) | HtmlUnit NekoHtml Parser suffers from a remote code execution via XSLT vulnerability on versions 2.60.0 and below. Please update to at least version 2.70.0 or 3.1.0 |
 | [CVE-2022-28366](https://nvd.nist.gov/vuln/detail/CVE-2022-28366) | HtmlUnit NekoHtml Parser suffers from a denial of service vulnerability on versions 2.26.0 and below. Please update to at least version 2.70.0 or 3.1.0 |
 | [CVE-2020-5529](https://nvd.nist.gov/vuln/detail/CVE-2020-5529)   | HtmlUnit suffers from a remote code execution vulnerability (improper initialization of the Rhino engine) on versions 2.36.0 and below. Please update to at least version 3.1.0. |

README.md

@@ -1,6 +1,6 @@
 # HtmlUnit
 
-Version 3.8.0 / November 18, 2023
+Version 3.9.0 / December 03, 2023
 
 :heart: [Sponsor](https://github.com/sponsors/rbri)
 
@@ -38,7 +38,7 @@ Add to your `pom.xml`:
 <dependency>
     <groupId>org.htmlunit</groupId>
     <artifactId>htmlunit</artifactId>
-    <version>3.8.0</version>
+    <version>3.9.0</version>
 </dependency>
 ```
 
@@ -47,7 +47,7 @@ Add to your `pom.xml`:
 Add to your `build.gradle`:
 
 ```groovy
-implementation group: 'org.htmlunit', name: 'htmlunit', version: '3.8.0'
+implementation group: 'org.htmlunit', name: 'htmlunit', version: '3.9.0'
 ```
 
 ## Vulnerabilities
@@ -122,7 +122,7 @@ Add the snapshot repository and dependency to your `pom.xml`:
       <dependency>
           <groupId>org.htmlunit</groupId>
           <artifactId>htmlunit</artifactId>
-          <version>3.9.0-SNAPSHOT</version>
+          <version>3.10.0-SNAPSHOT</version>
       </dependency>
       <!-- ... -->
     </dependencies>
@@ -141,7 +141,7 @@ repositories {
 }
 // ...
 dependencies {
-    implementation group: 'org.htmlunit', name: 'htmlunit', version: '3.9.0-SNAPSHOT'
+    implementation group: 'org.htmlunit', name: 'htmlunit', version: '3.10.0-SNAPSHOT'
   // ...
 }
 ```
@@ -185,7 +185,7 @@ Please try to keep your pull requests small (don't bundle unrelated changes) and
 [![Stargazers](https://starchart.cc/HtmlUnit/htmlunit.svg)](https://starchart.cc/HtmlUnit/htmlunit)
 
 
-[1]: https://sourceforge.net/projects/htmlunit/files/htmlunit/3.8.0/ "HtmlUnit on sourceforge"
+[1]: https://sourceforge.net/projects/htmlunit/files/htmlunit/3.9.0/ "HtmlUnit on sourceforge"
 [2]: https://jenkins.wetator.org/view/HtmlUnit/ "HtmlUnit CI"
 [3]: https://twitter.com/HtmlUnit "https://twitter.com/HtmlUnit"
 [4]: https://www.htmlunit.org "https://www.htmlunit.org"

pom.xml

@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.htmlunit</groupId>
     <artifactId>htmlunit</artifactId>
-    <version>3.9.0-SNAPSHOT</version>
+    <version>3.9.0</version>
     <name>HtmlUnit</name>
     <organization>
         <name>Gargoyle Software Inc.</name>

src/changes/changes.xml

@@ -7,7 +7,7 @@
     </properties>
 
     <body>
-        <release version="3.9.0" date="December xx, 2023" description="Bugfixes">
+        <release version="3.9.0" date="December 03, 2023" description="Bugfixes, htmlunit-csp, CVE-2023-49093, improved neko">
             <action type="update" dev="rbri">
                 Upgrade commons-logging to 1.3.0
             </action>
@@ -18,7 +18,7 @@
                 New subproject htmlunit-csp. This replaces shapesecurity/salvation.
             </action>
             <action type="fix" dev="rbri">
-                Enable FEATURE_SECURE_PROCESSING for the MSXML XSLProcessor.
+                Enable FEATURE_SECURE_PROCESSING for the MSXML XSLProcessor (CVE-2023-49093).
             </action>
             <action type="fix" dev="René Schwietzke">
                 neko: fix wrong error processing for some unicode entities.

src/site/xdoc/index.xml

@@ -57,9 +57,9 @@
         <section name="Where to find...">
             <p>
                 <dl>
-                    <dt>Latest release <date>November 18, 2023</date></dt>
+                    <dt>Latest release <date>December 03, 2023</date></dt>
                     <dd>
-                        <p><a href="https://github.com/HtmlUnit/htmlunit/releases/tag/3.8.0">version 3.8.0</a></p>
+                        <p><a href="https://github.com/HtmlUnit/htmlunit/releases/tag/3.9.0">version 3.9.0</a></p>
                     </dd>
 
                     <dt>Source code</dt>

src/site/xdoc/migration.xml

@@ -19,7 +19,7 @@
                 <source><![CDATA[<dependency>
     <groupId>org.htmlunit</groupId>
     <artifactId>htmlunit</artifactId>
-    <version>3.8.0</version>
+    <version>3.9.0</version>
 </dependency>]]></source>
             </subsection>