From 2a0ac88518fdd1509d14c4cbdb9784c73dd8a839 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Sun, 26 Sep 2021 18:01:24 -0400
Subject: [PATCH] update CHANGELOG

---
 CHANGELOG.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6e4cc116c9..2ec87f5d66 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,22 @@
 
 Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [README.md](README.md) for details.
 
+## 1.12.next / unreleased
+
+### Security
+
+[JRuby] Address CVE-2021-41098 ([GHSA-2rr5-8q37-2w7h](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h)).
+
+In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.
+
+CRuby users are not affected by this CVE.
+
+
+### Fixed
+
+* [CRuby] `Document#to_xhtml` properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., `<br></br>`) instead of a self-closing tag (e.g., `<br/>`) in previous Nokogiri versions. [[#2324](https://github.com/sparklemotion/nokogiri/issues/2324)]
+
+
 ## 1.12.4 / 2021-08-29
 
 ### Notable fix: Namespace inheritance