Ruby 2.3.8 Released
Ruby 2.3.8 has been released. This release includes several security
fixes. Please check the topics below for details.
* CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work
correctly This release also includes a non-security fix to support
Visual Studio 2014 with Windows 10 October 2018 Update for
maintenance reasons.
Ruby 2.3 is now under the state of the security maintenance phase,
until the end of the March of 2019. After the date, maintenance of
Ruby 2.3 will be ended. We recommend you start planning migration to
newer versions of Ruby, such as 2.5 or 2.4.
Ruby 2.3.7 Released Posted by usa on 28 Mar 2018
Ruby 2.3.7 has been released.
This release includes about 70 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
See the ChangeLog for details.
After this release, we will end the normal maintenance phase of Ruby 2.3, and
start the security maintenance phase of it. This means that after the release
of 2.3.7 we will never backport any bug fixes to 2.3 except security fixes.
The term of the security maintenance phase is scheduled for 1 year. By the
end of this term, official support of Ruby 2.3 will be over. Therefore, we
recommend that you start planning to upgrade to Ruby 2.5 or 2.4.
Update ruby23-base/ruby23 to 2.3.6.
Ruby 2.3.6 has been released.
This release includes about 10 bug fixes after the previous release,
and also includes several security fixes. Please check the topics
below for details.
* CVE-2017-17405: Command injection vulnerability in Net::FTP
* Unsafe Object Deserialization Vulnerability in RubyGems
See the ChangeLog for details.
ruby23 packages to 2.3.5.
pkgsrc change: clean up PLIST.
Ruby 2.3.5 Released Posted by usa on 14 Sep 2017
Ruby 2.3.5 has been released.
This release includes about 70 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
* CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
* CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 docode
* CVE-2017-14064: Heap exposure vulnerability in generating JSON
* Multiple vulnerabilities in RubyGems
* Updated bundled libyaml to version 0.1.7
See the ChangeLog for details.
Ruby 2.3.4 Released 2017/3/30
Ruby 2.3.4 has been released.
This release contains about 80 bug fixes after the previous release. See the
commit logs for details.
And this release contains a bug fix of Symbol#hash to be non-deterministic.
This is a regression on the 2.3 series before 2.3.4. See Bug #13376 for more
details.
pkgsrc change: rubygems dose not blame open-ended dependency unless verbose
option is enabled.
Ruby 2.3.2 Released Posted by nagachika on 15 Nov 2016
Ruby 2.3.2 has been released.
This is the TEENY version release of the stable 2.3 series.
This release contains update of RubyGems 2.5.2 and update of included ssl
certificates.
Ruby 2.3.3 Released Posted by nagachika on 21 Nov 2016
Ruby 2.3.3 has been released.
This release contains a bug fix about Refinements and Module#prepend. The
mixture use of Module#refine and Module#prepend to the same Class could cause
unexpected NoMethodError. This is a regression on Ruby 2.3.2 released last
week. See [Bug #12920] for details.
There are some bugfixes too. See the ChangeLog for details.
Ruby 2.3.1 Released Posted by nagachika on 26 Apr 2016
Ruby 2.3.1 has been released.
This is the first TEENY version release of the stable 2.3 series.
There are many bugfixes. See the ChangeLog for details.
I don't see a relation to relro, but the linker found out about
a missing symbol it didn't complain about before.
SVN 54139:
Thu Mar 17 11:36:27 2016 Nobuyoshi Nakada <nobu@ruby-lang.org>
* ext/socket/option.c (inspect_tcpi_msec): more accurate condition
for TCPI msec member inspection function.
[ruby-core:74388] [Bug #12185]
Bump PKGREVISION.
From release announce:
Ruby 2.3.0 Released
Posted by naruse on 25 Dec 2015
We are pleased to announce the release of Ruby 2.3.0.
This is the first stable release of Ruby 2.3 series. It introduces many new
features for example:
A Frozen String Literal Pragma is introduced. With Ruby 2.1, "str".freeze has
been optimized to reduce object allocation. Ruby 2.3 introduces a new magic
comment and command line option to freeze all string literals in the source
files. Additionally for debugging, you can get where the object is created on
"can't modify frozen String" error by --debug=frozen-string-literal command
line option.
A safe navigation operator (so-called lonely operator) &., which already
exists in C#, Groovy, and Swift, is introduced to ease nil handling as
obj&.foo. Array#dig and Hash#dig are also added. Note that this behaves as
try! of Active Support, which specially handle only nil.
The did_you_mean gem is bundled. The did_you_mean gem shows the candidates on
the NameError and NoMethodError to ease debugging.
RubyVM::InstructionSequence#to_binary and .load_from_binary are introduced as
experimental feature. With these features, we can make a ISeq (bytecode)
pre-compilation system.
It also includes many performance improvements for example, reconsider method
entry data structure, introducing new table data structure, optimize
Proc#call, machine code level tuning for object allocation and method calling
code, smarter instance variable data structure, Socket and I/O allow to use
“exception:” keywords for high-performance non-blocking I/O and so on. Check
“Implementation improvements” section in NEWS file.
For a complete list of new features and compatibility notes, please see NEWS
and ChangeLog.
