This issue is to drive investigation and potential action around a set of upstream libxslt patches that Canonical judged valuable enough to port to their distributions.
"libxslt vulnerabilities"
https://www.ubuntu.com/usn/usn-3271-1/
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
priority: medium
The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in
Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux
and 57.0.2987.108 for Android, lacked a check for integer overflow during a
size calculation, which allowed a remote attacker to perform an out of
bounds memory write via a crafted HTML page.
patches:
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1683.html
priority: medium
numbers.c in libxslt before 1.1.29, as used in Google Chrome before
51.0.2704.63, mishandles namespace nodes, which allows remote attackers to
cause a denial of service (out-of-bounds heap memory access) or possibly
have unspecified other impact via a crafted document.
patches:
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1841.html
priority: medium
libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS
before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via a
crafted web site.
patches:
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7995.html
priority: low
The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not
check if the parent node is an element, which allows attackers to cause a
denial of service via a crafted XML file, related to a "type confusion"
issue.
patches:
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1684.html
priority: medium
numbers.c in libxslt before 1.1.29, as used in Google Chrome before
51.0.2704.63, mishandles the i format token for xsl:number data, which
allows remote attackers to cause a denial of service (integer overflow or
resource consumption) or possibly have unspecified other impact via a
crafted document.
patches:
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
priority: medium
libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
watchOS before 3 allows remote attackers to execute arbitrary code or cause
a denial of service (memory corruption) via a crafted web site.
patches:
To focus the decision, there are only two patches in this set that were not in libxslt 1.1.29; the patch for CVE-2017-5029 (medium) and for CVE-2016-4738 (medium).
I'd like to port these to Nokogiri and cut v1.7.2 as a security release.
I'll do this in the next few days unless I hear compelling objections here in the next 24 hours.
3c8d673 on the v1.7.x branch is green:

shipping it now.
v1.7.2 has been released with these patches.
And merged into master. Closing.
Most helpful comment
And merged into master. Closing.