dep: upgrade libxslt 1.1.34 → 1.1.35

sparklemotion · Feb 20, 2022 · d37dd02 · d37dd02
1 parent 59a9398
commit d37dd02
Show file tree

Hide file tree

Showing 5 changed files with 2,457 additions and 1,967 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,13 @@ Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [REA
 
 ---
 
+## 1.13.2 / unreleased
+
+### Dependencies
+
+* [CRuby] Vendored libxslt is updated from 1.1.34 to 1.1.35. This update addresses [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560). Full changelog is available at https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news
+
+
 ## 1.13.1 / 2022-01-13
 
 ### Fixed

diff --git a/dependencies.yml b/dependencies.yml
@@ -29,34 +29,9 @@ libxml2:
   #
 
 libxslt:
-  version: "1.1.34"
-  sha256: "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f"
-  #  manually verified checksum:
-  #
-  #    $ gpg --verify ~/Downloads/libxslt-1.1.34.tar.gz.asc ports/archives/libxslt-1.1.34.tar.gz
-  #    gpg: Signature made Wed 30 Oct 2019 04:02:48 PM EDT
-  #    gpg:                using RSA key DB46681BB91ADCEA170FA2D415588B26596BEA5D
-  #    gpg: Good signature from "Daniel Veillard (Red Hat work email) <[email protected]>" [unknown]
-  #    gpg:                 aka "Daniel Veillard <[email protected]>" [unknown]
-  #    gpg: WARNING: This key is not certified with a trusted signature!
-  #    gpg:          There is no indication that the signature belongs to the owner.
-  #    Primary key fingerprint: C744 15BA 7C9C 7F78 F02E  1DC3 4606 B8A5 DE95 BC1F
-  #         Subkey fingerprint: DB46 681B B91A DCEA 170F  A2D4 1558 8B26 596B EA5D
-  #
-  #  using this pgp signature:
-  #
-  #    -----BEGIN PGP SIGNATURE-----
-  #    
-  #    iQEzBAABCAAdFiEE20ZoG7ka3OoXD6LUFViLJllr6l0FAl257GgACgkQFViLJllr
-  #    6l2vVggAjJEHmASiS56SxhPOsGqbfBihM66gQFoIymQfMu2430N1GSTkLsfbkJO8
-  #    8yBX11NjzK/m9uxwshMW3rVCU7EpL3PUimN3reXdPiQj9hAOAWF1V3BZNevbQC2E
-  #    FCIraioukaidf8sjUG4/sGpK/gOcP/3hYoN0HUoBigCNJjDqhijxM3M3GJJtCASp
-  #    jL4CQbs2OmxW8ixOZbuWEESvFFHUgYRsdZjRVN+GRfSOvJjxypurmYwQ3RjO7JxL
-  #    2FY8qKQ+xpeID8NV8F5OUEvWBjk1QS133VTqBZNlONdnEtV/og6jNu5k0O/Kvhup
-  #    caR+8TMErOcLr9OgDklO6DoYyAsf9Q==
-  #    =g4i4
-  #    -----END PGP SIGNATURE-----
-  #
+  version: "1.1.35"
+  sha256: "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"
+  # sha-256 hash provided in https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.sha256sum
 
 zlib:
   version: "1.2.11"

diff --git a/ext/nokogiri/extconf.rb b/ext/nokogiri/extconf.rb
@@ -818,8 +818,9 @@ def compile
     if source_dir
       recipe.source_directory = source_dir
     else
+      minor_version = Gem::Version.new(recipe.version).segments.take(2).join(".")
       recipe.files = [{
-        url: "http://xmlsoft.org/sources/#{recipe.name}-#{recipe.version}.tar.gz",
+        url: "https://download.gnome.org/sources/libxslt/#{minor_version}/#{recipe.name}-#{recipe.version}.tar.xz",
         sha256: dependencies["libxslt"]["sha256"],
       }]
       recipe.patch_files = Dir[File.join(PACKAGE_ROOT_DIR, "patches", "libxslt", "*.patch")].sort