diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f98216c36c..314b585e792 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,18 @@ Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [REA --- +## v1.16.next / unreleased + +### Security + +* [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See [GHSA-xc9x-jj77-9p9j](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j) for more information. + + +### Dependencies + +* [CRuby] Vendored libxml2 is updated to [v2.12.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5) from v2.12.4. (@flavorjones) + + ## v1.16.1 / 2024-02-03 ### Dependencies diff --git a/dependencies.yml b/dependencies.yml index a69fe871b31..03860e6a3ec 100644 --- a/dependencies.yml +++ b/dependencies.yml @@ -1,8 +1,8 @@ libxml2: - version: "2.12.4" - sha256: "497360e423cf0bd99eacdb7c6215dea92e6d6e89ee940393c2bae0e77cb9b7d0" - # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.12/libxml2-2.12.4.sha256sum + version: "2.12.5" + sha256: "a972796696afd38073e0f59c283c3a2f5a560b5268b4babc391b286166526b21" + # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.12/libxml2-2.12.5.sha256sum libxslt: version: "1.1.39" diff --git a/patches/libxml2/0012-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML.patch b/patches/libxml2/0012-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML.patch deleted file mode 100644 index 56e88517843..00000000000 --- a/patches/libxml2/0012-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 95f2a17440568694a6df6a326c5b411e77597be2 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 30 Jan 2024 13:25:17 +0100 -Subject: [PATCH] parser: Fix crash in xmlParseInNodeContext with HTML - documents - -Ignore namespaces if we have an HTML document with namespaces added -manually. - -Fixes #672. ---- - parser.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 1038d71b..f7842ed1 100644 ---- a/parser.c -+++ b/parser.c -@@ -12415,8 +12415,10 @@ xmlParseInNodeContext(xmlNodePtr node, const char *data, int datalen, - } - xmlAddChild(node, fake); - -- if (node->type == XML_ELEMENT_NODE) { -+ if (node->type == XML_ELEMENT_NODE) - nodePush(ctxt, node); -+ -+ if ((ctxt->html == 0) && (node->type == XML_ELEMENT_NODE)) { - /* - * initialize the SAX2 namespaces stack - */ --- -2.42.0 - diff --git a/test/html5/test_api.rb b/test/html5/test_api.rb index 1263aefa365..926fa8a4dc0 100644 --- a/test/html5/test_api.rb +++ b/test/html5/test_api.rb @@ -239,12 +239,11 @@ def test_node_wrap_uses_parent_node_as_parsing_context_node end def test_parse_in_context_of_foreign_namespace - if Nokogiri.uses_libxml?("~> 2.12.0") - skip_unless_libxml2_patch("0012-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML.patch") - end - # https://github.com/sparklemotion/nokogiri/issues/3112 # https://gitlab.gnome.org/GNOME/libxml2/-/issues/672 + # released upstream in v2.12.5 + skip if Nokogiri.uses_libxml?(["~> 2.12.0", "< 2.12.5"]) + doc = Nokogiri::HTML5::Document.parse("") math = doc.at_css("math")