Ruby 3.1.0 Released
Posted by naruse on 25 Dec 2021
CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
A cookie prefix spoofing vulnerability was discovered in CGI::Cookie.parse. This vulnerability has been assigned the CVE identifier CVE-2021-41819. We strongly recommend upgrading Ruby.
Posted by mame on 24 Nov 2021
CVE-2021-41816: Buffer Overrun in CGI.escape_html
A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been assigned the CVE identifier CVE-2021-41816. We strongly recommend upgrading Ruby.
Posted by mame on 24 Nov 2021
CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
We have released date gem version 3.2.1, 3.1.2, 3.0.2, and 2.0.1 that include a security fix for a regular expression denial of service vulnerability (ReDoS) on date parsing methods. An attacker can exploit this vulnerability to cause an effective DoS attack. This vulnerability has been assigned the CVE identifier CVE-2021-41817.
Posted by mame on 15 Nov 2021
2022 Fukuoka Ruby Award Competition - Entries to be judged by Matz
Dear Ruby Enthusiasts,
Posted by Fukuoka Ruby on 3 Aug 2021
CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
A trusting FTP PASV responses vulnerability was discovered in Net::FTP. This vulnerability has been assigned the CVE identifier CVE-2021-31810. We strongly recommend upgrading Ruby.
Posted by shugo on 7 Jul 2021
CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
A StartTLS stripping vulnerability was discovered in Net::IMAP. This vulnerability has been assigned the CVE identifier CVE-2021-32066. We strongly recommend upgrading Ruby.
Posted by shugo on 7 Jul 2021
CVE-2021-31799: A command injection vulnerability in RDoc
There is a vulnerability about Command Injection in RDoc which is bundled in Ruby. It is recommended that all Ruby users update RDoc to the latest version that fixes this issue.
Posted by aycabta on 2 May 2021
CVE-2021-28965: XML round-trip vulnerability in REXML
There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2021-28965. We strongly recommend upgrading the REXML gem.
Posted by mame on 5 Apr 2021
CVE-2021-28966: Path traversal in Tempfile on Windows
There is an unintentional directory creation vulnerability in tmpdir library bundled with Ruby on Windows. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby on Windows, because it uses tmpdir internally. This vulnerability has been assigned the CVE identifier CVE-2021-28966.
Posted by mame on 5 Apr 2021