dep: update libxml2 to v2.10.3 (backport to v1.13.x) #2667
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from v2.9.14 Details: - 0004-use-glibc-strlen.patch was upstreamed in 48ed5a7 - 0008-htmlParseComment-handle-abruptly-closed-comments.patch was upstreamed in d7b287b - xmlXPathInit was deprecated upstream in 40483d0 Full change log is at https://download.gnome.org/sources/libxml2/2.10/libxml2-2.10.0.news backport of b9eac3c
from v1.1.35 Full change log is at https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.36 backport of ba290a4
from v2.9.10 See https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.1 backport of bcb6a1d
from v2.10.1 See https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.2 Also see the commit updating libxml2 to automake 1.16.3 which allows us to finally remove the 0006 patch for arm64 builds: > https://gitlab.gnome.org/GNOME/libxml2/-/commit/ed80e8c9d8fbeb509f7bbbd3f58deb3e09be32f2 backport of 89eee16
from v1.1.36 See https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.37 This reverts 1ab64d2 which was upstreamed in this version of libxslt. backport of 0fff616
from v2.10.2 See https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3 Note the new behavior around CDATA nodes longer than 10MB. backport of 3ebb3b5
flavorjones
added
vendored/libxml2
topic/security
vendored/libxslt
backport
2 tasks
flavorjones
force-pushed
the
flavorjones-update-libxml2-2.10.3_backport-v1.13.x
branch
from
c912eac to
cd9aeee
Compare
flavorjones
deleted the
flavorjones-update-libxml2-2.10.3_backport-v1.13.x
branch
|
Hey @flavorjones Would it be okay if I put a PR for backporting this to 1.12.x? |
|
@EduardoGHdez Thanks for asking this question. The v1.12.x branch is not maintained and we are not planning on making any more releases on that branch. Can you say more about what you're hoping to achieve with a backport? Why aren't you instead upgrading to v1.13.x? If your primary interest is security, then I'm obligated to point out there are published vulnerabilities in the v1.12.x code that will remain unaddressed (see here and here). |
|
The main reason is bc we are not running on ruby 2.6 yet. But I think this is not but an argument to prioritize the ruby-upgrade work Thanks for answering @flavorjones 🙇🏽 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What problem is this PR intended to solve?
Backport of #2666 to the v1.13.x branch.
Also see parent issue #2665.