Nokogiri v1.10.5 Release Notes

Release Date: 2019-10-31 // 18 days ago
  • 🔒 Security

    ⬆️ [MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:

    • CVE-2019-13117
    • CVE-2019-13118
    • CVE-2019-18197

    More details are available at #1943.

    Dependencies

    • ⚡️ [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
    • ⚡️ [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

Previous changes from v1.10.4

  • 1.10.4 / 2019-08-11

    🔒 Security

    ➕ Address CVE-2019-5477 (#1915)

    💎 A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

    ⬆️ This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

    This CVE's public notice is #1915