[MRI] Upstream libxml2 patches are applied to the vendored libxml 2.9.4 which address CVE-2016-4658 and CVE-2016-5131.
For more information:
- ✂ Remove deprecation warnings in Ruby 2.4.0 (#1545) (Thanks, @matthewd!)
- 👌 Support egcc compiler on OpenBSD (#1543) (Thanks, @frenkel and @knu!)
🚀 This release ends support for:
- 💎 Ruby 1.9.2, for which official support ended on 2014-07-31
- 💎 Ruby 1.9.3, for which official support ended on 2015-02-23
- 💎 Ruby 2.0.0, for which official support ended on 2016-02-24
- 👀 MacRuby, which hasn't been actively supported since 2015-01-13 (see https://github.com/MacRuby/MacRuby/commit/f76b9d6e99c18236db617e8aceb12c27d593a483)
🔒 [MRI] Bundled libxml2 is upgraded to 2.9.4, which fixes many security issues. Many of these had previously been patched in the vendored libxml 2.9.2 in the 1.6.7.x branch, but some are newer.
👀 See these libxml2 email posts for more:
🔒 For a more detailed analysis, you may care to read Canonical's take on these security issues:
🔒 [MRI] Bundled libxslt is upgraded to 1.1.29, which fixes a security issue as well as many long-known outstanding bugs, some features, some portability improvements, and general cleanup.
👀 See this libxslt email post for more:
🐎 Several changes were made to improve performance:
- [MRI] Simplify
NodeSet#to_awith a minor speed-up. (#1397)
XML::Node#ancestorsoptimization. (#1297) (Thanks, Bruno Sutic!)
- 👉 Use
Symbol#to_procwhere we weren't previously. (#1296) (Thanks, Bruno Sutic!)
XML::DTD#eachuses implicit block calls. (Thanks, @glaucocustodio!)
- Fall back to the
pkg-configgem if we're having trouble finding the system libxml2. This should help many FreeBSD users. (#1417)
- Set document encoding appropriately even on blank document. (#1043) (Thanks, @batter!)
- 💎 [JRuby] fix slow add_child (#692)
- 🚀 [JRuby] fix load errors when deploying to JRuby/Torquebox (#1114) (Thanks, @atambo and @jvshahid!)
- 💎 [JRuby] fix NPE when inspecting nodes returned by
NodeSet#drop(#1042) (Thanks, @mkristian!)
- 💎 [JRuby] fix nil attriubte node's namespace in reader (#1327) (Thanks, @codekitchen!)
- 💎 [JRuby] fix Nokogiri munging unicode characters that require more than 2 bytes (#1113) (Thanks, @mkristian!)
- 💎 [JRuby] allow unlinking an unparented node (#1112, #1152) (Thanks, @esse!)
- 📜 [JRuby] allow Fragment parsing on a frozen string (#444, #1077)
- 💅 [JRuby] HTML
styletags are no longer encoded (#1316) (Thanks, @tbeauvais!)
- [MRI] fix assertion failure while accessing attribute node's namespace in reader (#843) (Thanks, @2potatocakes!)
- [MRI] fix issue with GCing namespace nodes returned in an xpath query. (#1155)
- [MRI] Ensure C strings are null-terminated. (#1381)
- 💎 [MRI] Ensure Rubygems is loaded before using mini_portile2 at installation. (#1393, #1411) (Thanks, @JonRowe!)
- ✅ [MRI] Handling another edge case where the
libxml-rubygem's global callbacks were smashing the heap. (#1426). (Thanks to @bbergstrom for providing an isolated test case!)
- 📜 [MRI] Ensure encodings are passed to
Sax::Parserxmldecl callback. (#844)
- 0️⃣ [MRI] Ensure default ns prefix is applied correctly when reparenting nodes to another document. (#391) (Thanks, @ylecuyer!)
- [MRI] Ensure Reader handles non-existent attributes as expected. (#1254) (Thanks, @ccutrer!)
- [MRI] Cleanup around namespace handling when reparenting nodes. (#1332, #1333, #1444) (Thanks, @cuttrer and @bradleybeddoes!)
- unescape special characters in CSS queries (#1303) (Thanks, @twalpole!)
- consistently handle empty documents (#1349)
- ⚡️ Update to mini_portile2 2.1.0 to address whitespace-handling during patching. (#1402)
- 🛠 Fix encoding of xml node namespaces.
- 🐳 Work around issue installing Nokogiri on overlayfs (commonly used in Docker containers). (#1370, #1405)
- ✂ Removed legacy code remaining from Ruby 1.8.x support.
- ✂ Removed legacy code remaining from REE support.
- ↪ Removing hacky workarounds for bugs in some older versions of libxml2.
- Handling C strings in a forward-compatible manner, see https://github.com/ruby/ruby/blob/v2_2_0/NEWS#L319
Dependency License Notes
This version makes
pkg-configan optional dependency. If it's installed, it's used; but otherwise Nokogiri will attempt to work around its absence.
🏁 This version supports native builds on Windows using the RubyInstaller 🏁 DevKit. It also supports Ruby 2.2.x on Windows, as well as making several other improvements to the installation process on various platforms.
- 💎 Cross-built gems now have a proper ruby version requirement. (#1266)
- 🏁 Ruby 2.2.x is supported on Windows.
- 🏁 Native build is supported on Windows.
- [MRI] libxml2 and libxslt
config.guessfiles brought up to date. (#1326) (Thanks, @hernan-erasmo!)
- 💎 [JRuby] fix error in validating files with jruby (#1355, #1361) (Thanks, @twalpole!)
- [MRI, OSX] Patch to handle nonstandard location of
iconv.h. (#1206, #1210, #1218, #1345) (Thanks, @neonichu!)
- 💎 [JRuby] reset the namespace cache when replacing the document's innerHtml (#1265) (Thanks, @mkristian!)
- 📜 [JRuby]
Document#parseshould support IO objects that respond to
#read. (#1124) (Thanks, Jake Byman!)
- [MRI] Duplicate-id errors when setting the
idattribute on HTML documents are now silenced. (#1262)
- 📜 [JRuby] SAX parser cuts texts in pieces when square brackets exist. (#1261)
- 🚚 [JRuby] Namespaced attributes aren't removed by remove_attribute. (#1299)
This version pulls in several upstream patches to the vendored libxml2 and libxslt to address:
Ubuntu classifies this as "Priority: Low", RedHat classifies this as "Impact: Moderate", and NIST classifies this as "Severity: 5.0 (MEDIUM)".
MITRE record is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499