Posted by usa on 1 Oct 2019

Ruby 2.4.8 has been released.

This release includes security fixes. Please check the topics below for details.

• CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
• CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
• CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
• CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick’s Digest access authentication

Ruby 2.4 is now under the state of the security maintenance phase, until the end of March of 2020. After that date, maintenance of Ruby 2.4 will be ended. We recommend you start planning the migration to newer versions of Ruby, such as 2.6 or 2.5.

Update (Oct 2nd 4:00 UTC): We’re working on the issue that the Ruby 2.4.8 release tarball doesn’t install under non-root user. Follow [Bug #16197] for detailed updates.

Download

• https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.tar.bz2

  SIZE: 12204030
  SHA1: 5f742a8df243fa4e216ff6f0c26cc8222a182459
  SHA256: e30eedd91386bec81489d2637522c9017aebba46f98e8b502f679df6b2f6a469
  SHA512: 2d7e0f5ad766e2a12a1b53ff838e6bfe86244ffb7202196769c25e9df6f71f3ccdd8605e7ef35c53e54310bc82caf6b368ad5111dd0a3ad70a3aae1a7be93f08
  

• https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.tar.gz

  SIZE: 13800260
  SHA1: a13b0915b7fb3dd0fe1ed6a4e3640034038ba6c9
  SHA256: 37f0d180afa56ec3e7a3669c6f1b6ee8a47a811261f0e1afa8f817c8b577bd68
  SHA512: 4e5068b73356a9fa0bd2c8aaa261909039653c62dc363dd8b36c9c73b11b9c4e6ade752d7c67f1b38c00e27a4861f94ce696158bd210035ea0b417d0887a329b
  

• https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.tar.xz

  SIZE: 9813812
  SHA1: adf24e0b0ad1755067435f21baa8d142bcaff5a9
  SHA256: a2a8f53ef14b891821dbbf67b081d7b9e223007a347000ff4a86a226a4708272
  SHA512: 5f51a8312c23c1c2bfbb9c59efbd789492a4a7e4b1d4e7764db6eaaa542008e814b40817f10825e22c7fa8715fb9187be5d09b06128da211559b3601785937ea
  

• https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.8.zip

  SIZE: 15322048
  SHA1: 756a206a5f91c1237432f693b157a6842039d760
  SHA256: a84e1c946761b1ed947194b6248a50f9aee21ca412dcd6021973951fd846a035
  SHA512: dcf7dead5baed4ffbd68016581ef1162f78729db9b5a49501a04d68d768e9138faa6e293c91dd9203a9a28d406bb236dd633688f1e96a07906e37db273ac8846
  

Release Comment

Thanks to everyone who helped with this release, especially, to reporters of the vulnerability.

Syndicate

Recent News (RSS)