Skip to content

Backport USN-3235-1 to 1.6.8.x stream #1640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

Backport USN-3235-1 to 1.6.8.x stream #1640

wants to merge 5 commits into from

Conversation

@sgerrand
Copy link

@sgerrand sgerrand commented May 14, 2017

⚠️ ⚠️ ⚠️ ⚠️ ⚠️
The f2dd079, 3b9ee4b and 002e4d8 commits shouldn't appear, but do because this was created from the v1.6.8.1 tag. Ideally I'd like to target a branch off the v1.6.8.1 tag (e.g. v1.6.8.x). I'll happily clean up this changeset and retarget the base branch once that exists.
⚠️ ⚠️ ⚠️ ⚠️ ⚠️

💁 These changes backport the patches for USN-3235-1 back to the 1.6.8.x series.

larskanis and others added 5 commits October 2, 2016 23:35
@larskanis @flavorjones
Make the pkg-config gem optional.
f2dd079 
Using the pkg-config gem as a runtime dependency of nokogiri results in a
license conflict. pkg-config is LGPL but nokogiri is MIT.

Making the pkg-config gem optional solves this issue.

Fixes sparklemotion#1488 and sparklemotion#1496 .
@flavorjones
update CHANGELOG for pkg-config
3b9ee4b 
which is being made optional
@flavorjones
version bump to v1.6.8.1
002e4d8
@flavorjones
add patches from USN-3235-1
1aca565 
which address CVE-2016-4658 and CVE-2016-5131.

see sparklemotion#1615 for more information
@sgerrand
Update CHANGELOG
9ecd66d 
Backports part of 10d49bb to v1.6.8.x
branch.

[ci skip]
@flavorjones
Copy link
Member

flavorjones commented May 16, 2017

Hi! Thanks for submitting this!

I really would like to have a conversation about it before taking action. The 1.6.8.x release isn't supported anymore, and we're encouraging teams to upgrade to get security patches.

Can you help me understand why upgrading to 1.7.x isn't an appropriate solution for you, if you need to patch this USN? Or alternatively, to use your system libraries to get a patched version of libxml2/libxslt?

@sgerrand
Copy link
Author

sgerrand commented May 16, 2017

👋 Apologies for the delayed response.

I really would like to have a conversation about it before taking action. The 1.6.8.x release isn't supported anymore, and we're encouraging teams to upgrade to get security patches.

🙇

Can you help me understand why upgrading to 1.7.x isn't an appropriate solution for you, if you need to patch this USN? Or alternatively, to use your system libraries to get a patched version of libxml2/libxslt?

I have some applications running in environments which have older (< v2.1) versions of Ruby. The intent of this change proposal was to apply this significant security patch to the most recent version of the 1.6.8.x branch in order to get this fix into production, while allowing the runtime environment to be upgraded to a modern generally available version of Ruby.

@marutosi
Copy link
Contributor

marutosi commented Jun 19, 2017
edited
Loading

Can you help me understand why upgrading to 1.7.x isn't an appropriate solution for you,

Redmine users claims dropping old Ruby support.
http://www.redmine.org/issues/25538#note-6

@flavorjones
Copy link
Member

flavorjones commented Jun 19, 2017

You'll note that Nokogiri 1.8.0 has been released, and we're still keeping the 1.7.x branch up to date with security patches.

Your options are:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs/more-info

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sgerrand @flavorjones @marutosi @larskanis