Request: security updates for 1.15 #3146
Replies: 1 comment 6 replies
-
|
Hi @jamiemccarthy, sorry for my slow reply, it's been a busy week. I'll take a look at how hard this will be. The easiest path would be to cut a v1.15 patch release that upgrades to libxml 2.11.7 which patches this CVE. If that goes green I'm open to cutting a security release. |
Beta Was this translation helpful? Give feedback.
-
|
While that's running through CI, I'll just note that after release I will also have to update the GHSA and the matching entry in ruby-advisory-db, so that |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
Updated GHSA: GHSA-xc9x-jj77-9p9j |
Beta Was this translation helpful? Give feedback.
-
|
Thanks so much for doing this, I really appreciate it. You rock 🎉 |
Beta Was this translation helpful? Give feedback.
-
|
🙇 you're welcome! |
Beta Was this translation helpful? Give feedback.
-
Yes, ruby 2.7 is EOL for almost a year, but many of us still have blockers before we can upgrade to 3.0. As of right now, CVE-2024-25062 is one of our top two security concerns on an audience-facing site I work on. Our current path forward would be figuring out how to compile libxml2 and link it in to nokogiri for ourselves, which is going to be tricky to do right for our multi-platform Docker-based environments.
If you're able to continue to release (only) security fixes for the 1.15 version tree, we and probably many other sites would appreciate it.
Thank you for your consideration, and for your years of work on this important and popular gem!
Beta Was this translation helpful? Give feedback.
All reactions