Ruby News

<?xml version="1.0" encoding="UTF-8"?> <rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/"> <channel> <title>Ruby News</title> <link>https://www.ruby-lang.org/en/feeds/news.rss</link> <language>en-US</language> <ttl>40</ttl> <description>The latest news from ruby-lang.org.</description> <item> <title>Ruby 3.3.6 Released</title> <description><p>Ruby 3.3.6 has been released.</p> <p>This is a routine update that includes minor bug fixes. It also stops warning missing default gem dependencies that will be bundled gems in Ruby 3.5. For more details, please refer to <a href="https://github.com/ruby/ruby/releases/tag/v3_3_6">the release notes on GitHub</a>.</p> <h2>Release Schedule</h2> <p>As previously <a href="https://www.ruby-lang.org/en/news/2024/07/09/ruby-3-3-4-released/">announced</a>, we intend to release the latest stable Ruby version (currently Ruby 3.3) every 2 months following a <code class="language-plaintext highlighter-rouge">.1</code> release.</p> <p>We expect to release Ruby 3.3.7 on January 7th. If any significant changes arise that impact a large number of users, we may release a new version earlier than scheduled.</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.6.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.6.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 22153657 SHA1: 0106171cd1801fb5663e8e709f3d6c935d683c9b SHA256: 8dc48fffaf270f86f1019053f28e51e4da4cce32a36760a0603a9aee67d7fd8d SHA512: 4ae22f5c2a1f7ed84aab7587ff04ce4d9933cffe4347deaef0ab88d22c9780f274c1664a4ee1dd8235bc3cc749be828ffa8db7cb5f5002339a59a599acf3c729 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.6.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.6.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 16398228 SHA1: 25391e9bd8547cd07e09afcfc472777520a3178a SHA256: 540975969d1af42190d26ff629bc93b1c3f4bffff4ab253e245e125085e66266 SHA512: c4b86188bf539fa737932e1ba5b746bc295e7c43b2f8cca2668eb7c88aa7228e2ce9032bbcd244a7d558a11bc842445b5fbeac3503ca7d223b63c53e08dba4ab </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.6.zip">https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.6.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 27048656 SHA1: 88239456249cd80cadd1cbf98a317ae700ccd9df SHA256: a60240a6f9bcc8db6c07d40ad29c7dceb21430debe3ebc39bf339207818132f6 SHA512: c010c7d3e2b373b41a18bcadfb6dba276afabe479d75624569b5bdc605f3575bced2aff511708e25ceca43c7c918400222329e55e599c54154f203957f119ad2 </code></pre></div> </div> </li> </ul> <h2>Release Comment</h2> <p>Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions.</p> <p>Posted by k0kubun on 5 Nov 2024</p></description> <pubDate>Tue, 05 Nov 2024 04:25:00 +0000</pubDate> <guid>https://www.ruby-lang.org/en/news/2024/11/05/ruby-3-3-6-released/</guid> <link>https://www.ruby-lang.org/en/news/2024/11/05/ruby-3-3-6-released/</link> </item> <item> <title>Ruby 3.2.6 Released</title> <description><p>Ruby 3.2.6 has been released.</p> <p>Please see the <a href="https://github.com/ruby/ruby/releases/tag/v3_2_6">GitHub releases</a> for further details.</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.6.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.6.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 20521981 SHA1: bbf265f5e7a3f480056dc2fa6d600a97cba00713 SHA256: d9cb65ecdf3f18669639f2638b63379ed6fbb17d93ae4e726d4eb2bf68a48370 SHA512: 26ae9439043cf40e5eddde6b92ae51c9e1fa4e89c8ec6da36732c59c14873b022c683fb3007950d372f35de9b62a4fabbbc3ef1f4ef58cd53058bd56e1552cbe </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.6.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.6.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 15126888 SHA1: eabbe230df704e7141d53d8221314bb33b5f0dea SHA256: 671134022238c2c4a9d79dc7d1e58c909634197617901d25863642f735a27ecb SHA512: 78f7fc76d47c772b9bc313cbcb57a2c0f1a975e09cfe46a3083f6f603d62b0031bd4c55896c8353c1c343974d45077e06e310111198d870883e06a0cf6fd03ce </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.6.zip">https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.6.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 24653808 SHA1: efbcfc2c2e238a7201366fdefdcf0dc16e4072af SHA256: 36ca2292b48d8f6a0281d6c772dc47c358cb838774addc0344e38d4d2735704f SHA512: 8474829ebe13b3357f962571e8114e47634b5ed1f3e2dbfdf4ecb2ece1a3ed354f3506e8526a6768457e980ea4f056d77cd5b547419f2d8f9bea07348f64edc2 </code></pre></div> </div> </li> </ul> <h2>Release Comment</h2> <p>Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions.</p> <p>Posted by nagachika on 30 Oct 2024</p></description> <pubDate>Wed, 30 Oct 2024 10:00:00 +0000</pubDate> <guid>https://www.ruby-lang.org/en/news/2024/10/30/ruby-3-2-6-released/</guid> <link>https://www.ruby-lang.org/en/news/2024/10/30/ruby-3-2-6-released/</link> </item> <item> <title>CVE-2024-49761: ReDoS vulnerability in REXML</title> <description><p>There is a ReDoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2024-49761">CVE-2024-49761</a>. We strongly recommend upgrading the REXML gem.</p> <p>This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.</p> <h2>Details</h2> <p>When parsing an XML that has many digits between <code class="language-plaintext highlighter-rouge">&amp;#</code> and <code class="language-plaintext highlighter-rouge">x...;</code> in a hex numeric character reference (<code class="language-plaintext highlighter-rouge">&amp;#x...;</code>).</p> <p>Please update REXML gem to version 3.3.9 or later.</p> <h2>Affected versions</h2> <ul> <li>REXML gem 3.3.8 or prior with Ruby 3.1 or prior</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/manun">manun</a> for discovering this issue.</p> <h2>History</h2> <ul> <li>Originally published at 2024-10-28 03:00:00 (UTC)</li> </ul> <p>Posted by kou on 28 Oct 2024</p></description> <pubDate>Mon, 28 Oct 2024 03:00:00 +0000</pubDate> <guid>https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/</guid> <link>https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/</link> </item> <item> <title>Ruby 3.4.0 preview2 Released</title> <description> <p>We are pleased to announce the release of Ruby 3.4.0-preview2.</p> <h2>Prism</h2> <p>Switch the default parser from parse.y to Prism. [<a href="https://bugs.ruby-lang.org/issues/20564">Feature #20564</a>]</p> <h2>Language changes</h2> <ul> <li> <p>String literals in files without a <code class="language-plaintext highlighter-rouge">frozen_string_literal</code> comment now emit a deprecation warning when they are mutated. These warnings can be enabled with <code class="language-plaintext highlighter-rouge">-W:deprecated</code> or by setting <code class="language-plaintext highlighter-rouge">Warning[:deprecated] = true</code>. To disable this change, you can run Ruby with the <code class="language-plaintext highlighter-rouge">--disable-frozen-string-literal</code> command line argument. [<a href="https://bugs.ruby-lang.org/issues/20205">Feature #20205</a>]</p> </li> <li> <p><code class="language-plaintext highlighter-rouge">it</code> is added to reference a block parameter. [<a href="https://bugs.ruby-lang.org/issues/18980">Feature #18980</a>]</p> </li> <li> <p>Keyword splatting <code class="language-plaintext highlighter-rouge">nil</code> when calling methods is now supported. <code class="language-plaintext highlighter-rouge">**nil</code> is treated similarly to <code class="language-plaintext highlighter-rouge">**{}</code>, passing no keywords, and not calling any conversion methods. [<a href="https://bugs.ruby-lang.org/issues/20064">Bug #20064</a>]</p> </li> <li> <p>Block passing is no longer allowed in index. [<a href="https://bugs.ruby-lang.org/issues/19918">Bug #19918</a>]</p> </li> <li> <p>Keyword arguments are no longer allowed in index. [<a href="https://bugs.ruby-lang.org/issues/20218">Bug #20218</a>]</p> </li> </ul> <h2>Core classes updates</h2> <p>Note: We鈥檙e only listing outstanding class updates.</p> <ul> <li> <p>Exception</p> <ul> <li><code class="language-plaintext highlighter-rouge">Exception#set_backtrace</code> now accepts an array of <code class="language-plaintext highlighter-rouge">Thread::Backtrace::Location</code>. <code class="language-plaintext highlighter-rouge">Kernel#raise</code>, <code class="language-plaintext highlighter-rouge">Thread#raise</code> and <code class="language-plaintext highlighter-rouge">Fiber#raise</code> also accept this new format. [<a href="https://bugs.ruby-lang.org/issues/13557">Feature #13557</a>]</li> </ul> </li> <li> <p>Range</p> <ul> <li><code class="language-plaintext highlighter-rouge">Range#size</code> now raises <code class="language-plaintext highlighter-rouge">TypeError</code> if the range is not iterable. [<a href="https://bugs.ruby-lang.org/issues/18984">Misc #18984</a>]</li> </ul> </li> </ul> <h2>Compatibility issues</h2> <p>Note: Excluding feature bug fixes.</p> <ul> <li>Error messages and backtrace displays have been changed. <ul> <li>Use a single quote instead of a backtick as a opening quote. [<a href="https://bugs.ruby-lang.org/issues/16495">Feature #16495</a>]</li> <li>Display a class name before a method name (only when the class has a permanent name). [<a href="https://bugs.ruby-lang.org/issues/19117">Feature #19117</a>]</li> <li><code class="language-plaintext highlighter-rouge">Kernel#caller</code>, <code class="language-plaintext highlighter-rouge">Thread::Backtrace::Location</code>鈥檚 methods, etc. are also changed accordingly.</li> </ul> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Old: test.rb:1:in `foo': undefined method `time' for an instance of Integer from test.rb:2:in `&lt;main&gt;' New: test.rb:1:in 'Object#foo': undefined method 'time' for an instance of Integer from test.rb:2:in '&lt;main&gt;' </code></pre></div> </div> </li> <li><code class="language-plaintext highlighter-rouge">Hash#inspect</code> rendering has changed. [<a href="https://bugs.ruby-lang.org/issues/20433">Bug #20433</a>] <ul> <li>Symbol keys are displayed using the modern symbol key syntax: <code class="language-plaintext highlighter-rouge">"{user: 1}"</code></li> <li>Other keys now have spaces around <code class="language-plaintext highlighter-rouge">=&gt;</code>: <code class="language-plaintext highlighter-rouge">'{"user" =&gt; 1}'</code>, while previously they didn鈥檛: <code class="language-plaintext highlighter-rouge">'{"user"=&gt;1}'</code></li> </ul> </li> </ul> <h2>C API updates</h2> <ul> <li><code class="language-plaintext highlighter-rouge">rb_newobj</code> and <code class="language-plaintext highlighter-rouge">rb_newobj_of</code> (and corresponding macros <code class="language-plaintext highlighter-rouge">RB_NEWOBJ</code>, <code class="language-plaintext highlighter-rouge">RB_NEWOBJ_OF</code>, <code class="language-plaintext highlighter-rouge">NEWOBJ</code>, <code class="language-plaintext highlighter-rouge">NEWOBJ_OF</code>) have been removed. [<a href="https://bugs.ruby-lang.org/issues/20265">Feature #20265</a>]</li> <li>Removed deprecated function <code class="language-plaintext highlighter-rouge">rb_gc_force_recycle</code>. [<a href="https://bugs.ruby-lang.org/issues/18290">Feature #18290</a>]</li> </ul> <h2>Implementation improvements</h2> <ul> <li><code class="language-plaintext highlighter-rouge">Array#each</code> is rewritten in Ruby for better performance [<a href="https://bugs.ruby-lang.org/issues/20182">Feature #20182</a>].</li> </ul> <h2>Miscellaneous changes</h2> <ul> <li> <p>Passing a block to a method which doesn鈥檛 use the passed block will show a warning on verbose mode (<code class="language-plaintext highlighter-rouge">-w</code>). [<a href="https://bugs.ruby-lang.org/issues/15554">Feature #15554</a>]</p> </li> <li> <p>Redefining some core methods that are specially optimized by the interpeter and JIT like <code class="language-plaintext highlighter-rouge">String.freeze</code> or <code class="language-plaintext highlighter-rouge">Integer#+</code> now emits a performance class warning (<code class="language-plaintext highlighter-rouge">-W:performance</code> or <code class="language-plaintext highlighter-rouge">Warning[:performance] = true</code>). [<a href="https://bugs.ruby-lang.org/issues/20429">Feature #20429</a>]</p> </li> </ul> <p>See GitHub releases like <a href="https://github.com/ruby/logger/releases">Logger</a> or changelog for details of the default gems or bundled gems.</p> <p>See <a href="https://github.com/ruby/ruby/blob/v3_4_0_preview2/NEWS.md">NEWS</a> or <a href="https://github.com/ruby/ruby/compare/v3_3_0...v3_4_0_preview2">commit logs</a> for more details.</p> <p>With those changes, <a href="https://github.com/ruby/ruby/compare/v3_3_0...v3_4_0_preview2#file_bucket">4422 files changed, 163889 insertions(+), 243380 deletions(-)</a> since Ruby 3.3.0!</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.0-preview2.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.0-preview2.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 22722332 SHA1: c23265acf6c07b4c1df1e41eebf8b4cf2f25b97b SHA256: 443cd7ec54ade4786bc974ce9f5d49f172a60f8edc84b597b7fe2bd2a94b8371 SHA512: 0946d256587597bdf13437a50f7a3298c151133edea161a1c4806a04dcbd8c2e8a7fd617f3eda16c5c05f6e6346317562cc30ba67698f1fdd92237c03bdbd23e </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.0-preview2.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.0-preview2.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 16878876 SHA1: dbff404b969012702dc500cac72f4d6b3822068e SHA256: 626bf4fe952323c15ec9a8999f470ec136ef91c0fc34c484646aaaa9a0b62ca7 SHA512: f23257896a35d3a581cbf5e8c94fe28e45725e39608a7669f47f31085338b1b4929a4db40d826d8fee628afb97b0c25b2f9e7bda4cd42e80c1208c46caf54265 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.0-preview2.zip">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.0-preview2.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 28101194 SHA1: 479bd223bca3225fb3a15984e3eae4efb9a40189 SHA256: e00a6fbf6f9e25a725711a8aac7e38be6bed61de4db9862a405172b96bf38b5b SHA512: 0d9ee1c41920e4d594b0f2c40d02339b4e9a2cd5232f5ee914cab5a685cb4a2279fbbfd8fbad40ef0a53866db4e1de96068c62580ede6d8fab02550393bcbe81 </code></pre></div> </div> </li> </ul> <h2>What is Ruby</h2> <p>Ruby was first developed by Matz (Yukihiro Matsumoto) in 1993, and is now developed as Open Source. It runs on multiple platforms and is used all over the world especially for web development.</p> <p>Posted by naruse on 7 Oct 2024</p></description> <pubDate>Mon, 07 Oct 2024 00:00:00 +0000</pubDate> <guid>https://www.ruby-lang.org/en/news/2024/10/07/ruby-3-4-0-preview2-released/</guid> <link>https://www.ruby-lang.org/en/news/2024/10/07/ruby-3-4-0-preview2-released/</link> </item> <item> <title>Ruby 3.3.5 Released</title> <description><p>Ruby 3.3.5 has been released.</p> <p>This is a routine update that includes minor bug fixes. We recommend upgrading your Ruby version at your earliest convenience. For more details, please refer to the <a href="https://github.com/ruby/ruby/releases/tag/v3_3_5">GitHub release notes</a>.</p> <h2>Release Schedule</h2> <p>As previously <a href="https://www.ruby-lang.org/en/news/2024/07/09/ruby-3-3-4-released/">announced</a>, we intend to release the latest stable Ruby version (currently Ruby 3.3) every 2 months following a <code class="language-plaintext highlighter-rouge">.1</code> release.</p> <p>We expect to release Ruby 3.3.6 on November 5th and Ruby 3.3.7 on January 7th. If any significant changes arise that impact a large number of users, we may release a new version earlier than scheduled.</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.5.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.5.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 22129139 SHA1: 59444476bbe9e789fc777d8fb4dd456bc057604f SHA256: 3781a3504222c2f26cb4b9eb9c1a12dbf4944d366ce24a9ff8cf99ecbce75196 SHA512: 5c482059628ef9de5d8a6ad4751f8043f2fc2b159b768265be7f3ee0574ad51d9500ee4fc9146c5978fbd51313039c3de39e7b7a4dedc9bcd5d09a41a713f1a7 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.5.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.5.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 16403660 SHA1: 692bc3188bdb9ec30b8672543961b011d699590a SHA256: 51aec7ea89b46125a2c9adc6f36766b65023d47952b916b1aed300ddcc042359 SHA512: dd5c6a7f74854e143e0ca46b9d7c0d1983fc4886f5f733cd108345dbf4b21f61ad978ad6806e05a57b7af28fd9216dd38d7145808188bbb3695a7f3a4eda3883 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.5.zip">https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.5.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 27020194 SHA1: ccb32746aef491ce05be42218301e2c47185e5fc SHA256: d3c13e124707494935d00ebc5c7983b0252bc13de49223fd31104ba5467a057a SHA512: bf83af835a74283aff21042538ee1f1eb70ff12dac1edd4672d787547cd29cb7b69a9299682f89c8499eb610737b10a7fc03eca038574cb4ba565205d96b0016 </code></pre></div> </div> </li> </ul> <h2>Release Comment</h2> <p>Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions.</p> <p>Posted by k0kubun on 3 Sep 2024</p></description> <pubDate>Tue, 03 Sep 2024 06:40:00 +0000</pubDate> <guid>https://www.ruby-lang.org/en/news/2024/09/03/3-3-5-released/</guid> <link>https://www.ruby-lang.org/en/news/2024/09/03/3-3-5-released/</link> </item> <item> <title>CVE-2024-43398: DoS vulnerability in REXML</title> <description><p>There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2024-43398">CVE-2024-43398</a>. We strongly recommend upgrading the REXML gem.</p> <h2>Details</h2> <p>When parsing an XML that has many deep elements that have same local name attributes, REXML gem may take long time.</p> <p>It鈥檚 only affected with the tree parser API. If you鈥檙e using <code class="language-plaintext highlighter-rouge">REXML::Document.new</code> to parse an XML, you may be affected.</p> <p>Please update REXML gem to version 3.3.6 or later.</p> <h2>Affected versions</h2> <ul> <li>REXML gem 3.3.5 or prior</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/l33thaxor">l33thaxor</a> for discovering this issue.</p> <h2>History</h2> <ul> <li>Originally published at 2024-08-22 03:00:00 (UTC)</li> </ul> <p>Posted by kou on 22 Aug 2024</p></description> <pubDate>Thu, 22 Aug 2024 03:00:00 +0000</pubDate> <guid>https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/</guid> <link>https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/</link> </item> <item> <title>CVE-2024-41946: DoS vulnerability in REXML</title> <description><p>There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2024-41946">CVE-2024-41946</a>. We strongly recommend upgrading the REXML gem.</p> <h2>Details</h2> <p>When parsing an XML that has many entity expansions with SAX2 or pull parser API, REXML gem may take long time.</p> <p>Please update REXML gem to version 3.3.3 or later.</p> <h2>Affected versions</h2> <ul> <li>REXML gem 3.3.2 or prior</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://github.com/naitoh">NAITOH Jun</a> for discovering and fixing this issue.</p> <h2>History</h2> <ul> <li>Originally published at 2024-08-01 03:00:00 (UTC)</li> </ul> <p>Posted by kou on 1 Aug 2024</p></description> <pubDate>Thu, 01 Aug 2024 03:00:00 +0000</pubDate> <guid>https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/</guid> <link>https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/</link> </item> <item> <title>CVE-2024-41123: DoS vulnerabilities in REXML</title> <description><p>There are some DoS vulnerabilities in REXML gem. These vulnerabilities have been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2024-41123">CVE-2024-41123</a>. We strongly recommend upgrading the REXML gem.</p> <h2>Details</h2> <p>When parsing an XML document that has many specific characters such as whitespace character, <code class="language-plaintext highlighter-rouge">&gt;]</code> and <code class="language-plaintext highlighter-rouge">]&gt;</code>, REXML gem may take long time.</p> <p>Please update REXML gem to version 3.3.3 or later.</p> <h2>Affected versions</h2> <ul> <li>REXML gem 3.3.2 or prior</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/mprogrammer">mprogrammer</a> and <a href="https://hackerone.com/scyoon">scyoon</a> for discovering these issues.</p> <h2>History</h2> <ul> <li>Originally published at 2024-08-01 03:00:00 (UTC)</li> </ul> <p>Posted by kou on 1 Aug 2024</p></description> <pubDate>Thu, 01 Aug 2024 03:00:00 +0000</pubDate> <guid>https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/</guid> <link>https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/</link> </item> <item> <title>Ruby 3.2.5 Released</title> <description><p>Ruby 3.2.5 has been released.</p> <p>This release include many bug-fixes. And we updated the version of bundled gem <code class="language-plaintext highlighter-rouge">rexml</code> to include the following security fix. <a href="/en/news/2024/07/16/dos-rexml-cve-2024-39908/">CVE-2024-39908 : DoS in REXML</a>.</p> <p>Please see the <a href="https://github.com/ruby/ruby/releases/tag/v3_2_5">GitHub releases</a> for further details.</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.5.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.5.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 20619047 SHA1: e5166c947a4d9057b1310710a2a963df12264ac9 SHA256: ef0610b498f60fb5cfd77b51adb3c10f4ca8ed9a17cb87c61e5bea314ac34a16 SHA512: d86c0151fabf21b418b007465e3f5b3fd0b2de0a9652057fd465b1f7e91b01d00f83a737e972ea994a5d9231e8cb27e64e576852390fe6c2ad502f0d099fe5f4 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.5.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.5.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 15189072 SHA1: b5f21884084077b1f684efe40144844b8b37a316 SHA256: 7780d91130139406d39b29ed8fe16bba350d8fa00e510c76bef9b8ec1340903c SHA512: 092348b84b513aec62e63ec10b326370d0e3d1fa3126c59c03c84f28e2d7741a4772c461b077ec6a7dac3964a20f434655729e1acd50a3438755d7ad64073305 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.5.zip">https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.5.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 24777979 SHA1: 07e7638dd5ec40f261c820be523be619fdebe4aa SHA256: b001e6c157d79f6fb351d5be83ba389c6ca20000686bbdfc8d2b8a46d38a7183 SHA512: f7a05c96a22bd4018c4a79ff595e62aa92dc844ebaf3e66d50c7b35041fade7608806668b5cb25c17b360a3cd98df1c3e0f97c49448a968accab59a9dac97e47 </code></pre></div> </div> </li> </ul> <h2>Release Comment</h2> <p>Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions.</p> <p>Posted by nagachika on 26 Jul 2024</p></description> <pubDate>Fri, 26 Jul 2024 10:00:00 +0000</pubDate> <guid>https://www.ruby-lang.org/en/news/2024/07/26/ruby-3-2-5-released/</guid> <link>https://www.ruby-lang.org/en/news/2024/07/26/ruby-3-2-5-released/</link> </item> <item> <title>CVE-2024-39908: DoS vulnerability in REXML</title> <description><p>There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2024-39908">CVE-2024-39908</a>. We strongly recommend upgrading the REXML gem.</p> <h2>Details</h2> <p>When it parses an XML that has many specific characters such as <code class="language-plaintext highlighter-rouge">&lt;</code>, <code class="language-plaintext highlighter-rouge">0</code> and <code class="language-plaintext highlighter-rouge">%&gt;</code>. REXML gem may take long time.</p> <p>Please update REXML gem to version 3.3.2 or later.</p> <h2>Affected versions</h2> <ul> <li>REXML gem 3.3.1 or prior</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/mprogrammer">mprogrammer</a> for discovering this issue.</p> <h2>History</h2> <ul> <li>Originally published at 2024-07-16 03:00:00 (UTC)</li> </ul> <p>Posted by watson1978 on 16 Jul 2024</p></description> <pubDate>Tue, 16 Jul 2024 03:00:00 +0000</pubDate> <guid>https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/</guid> <link>https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/</link> </item> </channel> </rss>

CINXE.COM

Ruby News