HTTP/2 200 server: GitHub.com content-type: application/rss+xml; charset=utf-8 x-origin-cache: HIT last-modified: Tue, 15 Jul 2025 17:20:22 GMT access-control-allow-origin: * etag: W/"68768dd6-8bfe" expires: Wed, 16 Jul 2025 05:58:16 GMT cache-control: max-age=600 content-encoding: gzip x-proxy-cache: MISS x-github-request-id: 7862:334EA1:4BEB07:4D18A8:68773D20 accept-ranges: bytes age: 0 date: Wed, 16 Jul 2025 05:48:16 GMT via: 1.1 varnish x-served-by: cache-bom4724-BOM x-cache: MISS x-cache-hits: 0 x-timer: S1752644896.093332,VS0,VE688 vary: Accept-Encoding x-fastly-request-id: 96fcf48d04e28cbb6bd95d17b1a2125161fd81c4 content-length: 8627 https://www.ruby-lang.org/en/feeds/news.rss en-US 40 The latest news from ruby-lang.org. <p>Ruby 3.4.5 has been released.</p> <p>This is a routine update that includes bug fixes and GCC 15 support. Please refer to the <a href="https://github.com/ruby/ruby/releases/tag/v3_4_5">release notes on GitHub</a> for further details.</p> <h2>Release Schedule</h2> <p>We intend to release the latest stable Ruby version (currently Ruby 3.4) every two months following the most recent release. Ruby 3.4.6 is scheduled for September, 3.4.7 for November, and 3.4.8 for January.</p> <p>If a change arises that significantly affects users, a release may occur earlier than planned, and the subsequent schedule may shift accordingly.</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.5.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.5.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 23237143 SHA1: ae40a537434bf432aa3b828bc4d13a295854cf40 SHA256: 1d88d8a27b442fdde4aa06dc99e86b0bbf0b288963d8433112dd5fac798fd5ee SHA512: 985928770dc8cd551de8df75c95e33b454586e88b532d98fef2d1bcaf74750ebc0265cf0517a5a7df8dbf273e33fb8f6f22c3915327f8a26227cc0abcfd4964f </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.5.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.5.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 17265032 SHA1: d4e7363acb04604bd67276ed3c2ad016c2de87b2 SHA256: 7b3a905b84b8777aa29f557bada695c3ce108390657e614d2cc9e2fb7e459536 SHA512: 1f5d2fd527d15bd81ca8f49767d6426533367c1018a1d275d34721a96410b51204236173224e5198a42b56162c6e7a7b0c060fc032a9fd7f250b44e05c7af560 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.5.zip">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.5.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 28405937 SHA1: 33cb17388dfa915638eeea3ddd156b5c79f79428 SHA256: e1672ad3da2a8ea7820f4ede55d1d6f451c7f011c160991d4c9bdd4a38d18658 SHA512: 557e220bca925d05af83d6779dbdf698f32f6e8b57c5138e9da80b02085faa134568a894949d2242ea1fe22b020035aa2b279c04791ac37c17f89dbf597a66c4 </code></pre></div> </div> </li> </ul> <h2>Release Comment</h2> <p>Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions.</p> <p>Posted by k0kubun on 15 Jul 2025</p> Tue, 15 Jul 2025 17:00:00 +0000 https://www.ruby-lang.org/en/news/2025/07/15/ruby-3-4-5-released/ https://www.ruby-lang.org/en/news/2025/07/15/ruby-3-4-5-released/ <p>A denial of service vulnerability has been discovered in the <code class="language-plaintext highlighter-rouge">resolv</code> gem bundled with Ruby. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2025-24294">CVE-2025-24294</a>. We recommend upgrading the resolv gem.</p> <h2>Details</h2> <p>The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.</p> <p>An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.</p> <p>This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.</p> <h2>Affected versions</h2> <p>The vulnerability affects the resolv gem bundled with the following Ruby series:</p> <ul> <li>Ruby 3.2 series: resolv version 0.2.2 and earlier</li> <li>Ruby 3.3 series: resolv version 0.3.0</li> <li>Ruby 3.4 series: resolv version 0.6.1 and earlier</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/manun">Manu</a> for discovering this issue.</p> <h2>History</h2> <ul> <li>Originally published at 2025-07-08 07:00:00 (UTC)</li> </ul> <p>Posted by mame on 8 Jul 2025</p> Tue, 08 Jul 2025 07:00:00 +0000 https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294/ https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294/ <p>Ruby 3.4.4 has been released.</p> <p>This release includes a fix for a YJIT bug related to local variables and addresses a build issue on Windows when using GCC 15. It was released ahead of schedule to make these fixes available as soon as possible. A few other bug fixes are also included.</p> <p>Please see the <a href="https://github.com/ruby/ruby/releases/tag/v3_4_4">release notes on GitHub</a> for further details.</p> <h2>Release Schedule</h2> <p>We intend to release the latest stable Ruby version (currently Ruby 3.4) every two months following the most recent release. Following this release (3.4.4), Ruby 3.4.5 is scheduled for July, 3.4.6 for September, 3.4.7 for November, and 3.4.8 for January.</p> <p>If a change arises that significantly affects users, a release may occur earlier than planned, and the subsequent schedule may shift accordingly.</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.4.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.4.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 23204581 SHA1: aff18f17868d076f4516ea4209931ad55b264f73 SHA256: a0597bfdf312e010efd1effaa8d7f1d7833146fdc17950caa8158ffa3dcbfa85 SHA512: ec52e338a9558e5fb0975be4249ff47a2d8c7926d8ae3af58f4e5a233f400f75da88ce8254bac7a8cd7a6b0b87fd4eb7315944c76be43719782bd0c16040197b </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.4.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.4.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 17255388 SHA1: 83ddf983c194b353634e91a86b466ce0d01bff39 SHA256: f76d63efe9499dedd8526b74365c0c811af00dc9feb0bed7f5356488476e28f4 SHA512: 0d258cf790daad424c866404b5cbdc8adba0e4e13764847a89adf2335229e5184095c9f3e9594705897697e48bcc322d9a9f919b04047abb2075daca9fce8871 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.4.zip">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.4.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 28372208 SHA1: 77377010d19109939fe11cadf1c210deda8ec202 SHA256: 7c64e2c303ef8433e01cb3afd9be094707a9aa60355fcee08d12ca90e1e46399 SHA512: f8dada5fae978b3eb82ed6863d3e8e25dfd90b3348eace2400d7428b0a1a9362bf88dc3138ef4b68bc5aaff781e90388e428390f5f55c5667fd24e4754544814 </code></pre></div> </div> </li> </ul> <h2>Release Comment</h2> <p>Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions.</p> <p>Posted by k0kubun on 14 May 2025</p> Wed, 14 May 2025 18:20:00 +0000 https://www.ruby-lang.org/en/news/2025/05/14/ruby-3-4-4-released/ https://www.ruby-lang.org/en/news/2025/05/14/ruby-3-4-4-released/ <p>There is a possibility for DoS by in the net-imap gem. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2025-43857">CVE-2025-43857</a>. We recommend upgrading the net-imap gem.</p> <h2>Details</h2> <p>A malicious server can send can send a “literal” byte count which is automatically read by the client’s receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the server response. This should not be an issue when securely connecting to trusted IMAP servers that are well-behaved. It affects insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname).</p> <p>Please update net-imap gem to version 0.2.5, 0.3.9, 0.4.20, 0.5.7, or later.</p> <p>When connecting to untrusted servers or using an insecure connection, <code class="language-plaintext highlighter-rouge">max_response_size</code> and response handlers must be configured appropriately to limit memory consumption. See <a href="https://github.com/ruby/net-imap/security/advisories/GHSA-j3g3-5qv5-52mj">GHSA-j3g3-5qv5-52mj</a> for more details.</p> <h2>Affected versions</h2> <p>net-imap gem versions &lt;= 0.2.4, 0.3.0 to 0.3.8, 0.4.0 to 0.4.19, and 0.5.0 to 0.5.6.</p> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/masamune_">Masamune</a> for discovering this issue.</p> <h2>History</h2> <ul> <li>Originally published at 2025-04-28 16:02:04 (UTC)</li> </ul> <p>Posted by nevans on 28 Apr 2025</p> Mon, 28 Apr 2025 16:02:04 +0000 https://www.ruby-lang.org/en/news/2025/04/28/dos-net-imap-cve-2025-43857/ https://www.ruby-lang.org/en/news/2025/04/28/dos-net-imap-cve-2025-43857/ <p>We are pleased to announce the release of Ruby 3.5.0-preview1. Ruby 3.5 updates its Unicode version to 15.1.0, and so on.</p> <h2>Language changes</h2> <ul> <li><code class="language-plaintext highlighter-rouge">*nil</code> no longer calls <code class="language-plaintext highlighter-rouge">nil.to_a</code>, similar to how <code class="language-plaintext highlighter-rouge">**nil</code> does not call <code class="language-plaintext highlighter-rouge">nil.to_hash</code>. [<a href="https://bugs.ruby-lang.org/issues/21047">Feature #21047</a>]</li> </ul> <h2>Core classes updates</h2> <p>Note: We’re only listing notable updates of Core class.</p> <ul> <li> <p>Binding</p> <ul> <li><code class="language-plaintext highlighter-rouge">Binding#local_variables</code> does no longer include numbered parameters. Also, <code class="language-plaintext highlighter-rouge">Binding#local_variable_get</code> and <code class="language-plaintext highlighter-rouge">Binding#local_variable_set</code> reject to handle numbered parameters. [<a href="https://bugs.ruby-lang.org/issues/21049">Bug #21049</a>]</li> </ul> </li> <li> <p>IO</p> <ul> <li><code class="language-plaintext highlighter-rouge">IO.select</code> accepts +Float::INFINITY+ as a timeout argument. [<a href="https://bugs.ruby-lang.org/issues/20610">Feature #20610</a>]</li> </ul> </li> <li> <p>String</p> <ul> <li>Update Unicode to Version 15.1.0 and Emoji Version 15.1. [<a href="https://bugs.ruby-lang.org/issues/19908">Feature #19908</a>] (also applies to Regexp)</li> </ul> </li> </ul> <h2>Standard Library updates</h2> <p>Note: We’re only listing notable updates of Standard librarires.</p> <ul> <li>ostruct 0.6.1</li> <li>pstore 0.2.0</li> <li>benchmark 0.4.0</li> <li>logger 1.7.0</li> <li>rdoc 6.13.1</li> <li>win32ole 1.9.2</li> <li>irb 1.15.2</li> <li>reline 0.6.1</li> <li>readline 0.0.4</li> <li>fiddle 1.1.6</li> </ul> <h2>Compatibility issues</h2> <p>Note: Excluding feature bug fixes.</p> <h2>Standard library compatibility issues</h2> <h2>C API updates</h2> <h2>Miscellaneous changes</h2> <p>See <a href="https://github.com/ruby/ruby/blob/v3_5_0_preview1/NEWS.md">NEWS</a> or <a href="https://github.com/ruby/ruby/compare/v3_4_0...v3_5_0_preview1">commit logs</a> for more details.</p> <p>With those changes, <a href="https://github.com/ruby/ruby/compare/v3_3_0...v3_5_0_preview1#file_bucket">2065 files changed, 36581 insertions(+), 203037 deletions(-)</a> since Ruby 3.4.0!</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.5/ruby-3.5.0-preview1.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.5/ruby-3.5.0-preview1.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 23146162 SHA1: ee0fcfe1342116f05060279ff0c9eb1e215db0b9 SHA256: ecf09c7eb902e91cdaf9cc553cd00cca9b848b3fc0e14297850f9ab08cdd46f0 SHA512: d718973648705636eff5933a0919132fd1f6b9afea432e09cce1265c6e0125e11cc94dbff84cba1caefc03190c48d8af4a27337d2af031f3f1660ca3a3531211 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.5/ruby-3.5.0-preview1.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.5/ruby-3.5.0-preview1.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 17443928 SHA1: 8a78a9189afa20cde42207a466bcf7d421ee144b SHA256: c6cc1e9f23fe4719b024b8305345ca0cff4e1bc159f3ebff86cb5b87969863aa SHA512: 835bd0b65d546722c83b0ab454256357b48898a0de9aa8e38966f53d2370a6e99552eeaff76a0b680aefbbe7491e701e5e7357797e50f063c53e79d9561c1dac </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.5/ruby-3.5.0-preview1.zip">https://cache.ruby-lang.org/pub/ruby/3.5/ruby-3.5.0-preview1.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 28548713 SHA1: bd0c32bc84ac1ce9edbc9c0a50e8c72e56b1229d SHA256: 3e1d9df578c69976a01a69b961819d00c4e8942f8b5fe4fb8e135fca4f7e7e5e SHA512: 47057e1615b2b59d5bbd0d6629e1320ed74f3d70748f1db4e8b88d6c8a3ecd255eacc7dac0cccd01923fae4b4dff9e6b9457a9858c81dab81c1ab9ee514b15fa </code></pre></div> </div> </li> </ul> <h2>What is Ruby</h2> <p>Ruby was first developed by Matz (Yukihiro Matsumoto) in 1993, and is now developed as Open Source. It runs on multiple platforms and is used all over the world especially for web development.</p> <p>Posted by naruse on 18 Apr 2025</p> Fri, 18 Apr 2025 00:00:00 +0000 https://www.ruby-lang.org/en/news/2025/04/18/ruby-3-5-0-preview1-released/ https://www.ruby-lang.org/en/news/2025/04/18/ruby-3-5-0-preview1-released/ <p>Ruby 3.4.3 has been released.</p> <p>This is a routine update that includes bug fixes. Please refer to the <a href="https://github.com/ruby/ruby/releases/tag/v3_4_3">release notes on GitHub</a> for further details.</p> <h2>Release Schedule</h2> <p>We intend to release the latest stable Ruby version (currently Ruby 3.4) every 2 months. Ruby 3.4.4 will be released in June, 3.4.5 in August, 3.4.6 in October, and 3.4.7 in December.</p> <p>If there’s any change that affects a considerable amount of people, those versions may be released earlier than expected.</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.3.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.3.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 23194448 SHA1: c269cd122ab9d4620a1e0e6a8f4de378deec3799 SHA256: 55a4cd1dcbe5ca27cf65e89a935a482c2bb2284832939266551c0ec68b437f46 SHA512: 7019889939713c3e649003fed4d973dced36239fc354cfdee2d01dbdeb7e8512881a31b00efc3d5017f08cd492aed7914d15927bc8d076c0cae7534273e471e9 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.3.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.3.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 17230984 SHA1: d0d86fdfe6bcf9f2eb3b450f3209f655ceda86da SHA256: 174dcd8c516694f833fd3c93ea227fa6c3321464577a3882a6fc7e4fe20237fd SHA512: b30aad675cdcc1bdfe9e5fffe9d1925db3b3ac854a5e34180c368bc6e66f73e29ba5d802fea249353b7d799c01384c58bdd763fd1b679303158baa7824b9c08e </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.3.zip">https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.3.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 28356998 SHA1: 87cb747a766660cf487a2e9dbbc7a18a8f6b65d9 SHA256: 06b8bf2ddf2642327c992d30f5d414ffa5a5df0c4c706d7b2507b42509fb5055 SHA512: b25289c899318ce5071b075fc1b75f602e0a543faeefa44df7e8064933500f9c357685fe21d09abc4034d481c22c89491c841f596d07e1cd269d800e6266cc24 </code></pre></div> </div> </li> </ul> <h2>Release Comment</h2> <p>Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions.</p> <p>Posted by k0kubun on 14 Apr 2025</p> Mon, 14 Apr 2025 08:06:57 +0000 https://www.ruby-lang.org/en/news/2025/04/14/ruby-3-4-3-released/ https://www.ruby-lang.org/en/news/2025/04/14/ruby-3-4-3-released/ <p>Ruby 3.3.8 has been released.</p> <p>Please see the <a href="https://github.com/ruby/ruby/releases/tag/v3_3_8">GitHub releases</a> for further details.</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.8.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.8.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 22197497 SHA1: 71b8362d413f58ed5aef2ecd132769210c45f058 SHA256: 5ae28a87a59a3e4ad66bc2931d232dbab953d0aa8f6baf3bc4f8f80977c89cab SHA512: c5005ba4019fbae19650a9a9ce139e13608345065da9e2277dbeac9d0ac9e3b07b666816afe7be690088080c8c9cf88a8c372971d429479dcebea80d6c2e3883 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.8.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.8.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 16435924 SHA1: 9ee07098fd930744d8df5d4945b5f99d2fecb9ef SHA256: 44ae70fee043da3ce48289b7a52618ebe32dc083253993d486211c7e445c8642 SHA512: 71c2f3ac9955e088fa885fd2ff695e67362a770a5d33e5160081eda3dd298ca2c692e299b03d757caecfbc94043fedc4ad093de84c505585d480cb36bbf978b9 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.8.zip">https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.8.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 27628937 SHA1: 4c0d938d2791ab696e921557aec19613bb364a67 SHA256: 389b8deae02849e769855dea892c921d3387b6548209189837a00f1cdf353797 SHA512: 1aa6a0412760d0d1f423cd5f02533696b7c952c04f567b89aa875997e1d53a548c294c0b771a9e06e666daab038e3481a6251e361163449f92b02ab3a89a6373 </code></pre></div> </div> </li> </ul> <h2>Release Comment</h2> <p>Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions.</p> <p>Posted by nagachika on 9 Apr 2025</p> Wed, 09 Apr 2025 11:00:00 +0000 https://www.ruby-lang.org/en/news/2025/04/09/ruby-3-3-8-released/ https://www.ruby-lang.org/en/news/2025/04/09/ruby-3-3-8-released/ <p>Ruby 3.2.8 has been released. This release includes <a href="https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/">CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221 fixes</a>.</p> <p>Please see the <a href="https://github.com/ruby/ruby/releases/tag/v3_2_8">GitHub releases</a> for further details.</p> <p>This version is a last version of normal maintenance for Ruby 3.2 series. We will fix only security issues for Ruby 3.2 series until end of March 2026.</p> <p>Please consider upgrading to Ruby 3.3 or 3.4 series.</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.8.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.8.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 20549999 SHA1: 419ecff4a0f8e805ddb1314344ffad33afde91d8 SHA256: 77acdd8cfbbe1f8e573b5e6536e03c5103df989dc05fa68c70f011833c356075 SHA512: 342d9ce337936cdbaa5d63a4d393edf0594e431add8cec3b6f17b884075bfdc5aa7a843c03f4ee3bece01700dfa4707bba653715a628d9dcb230762dbd3e5ac8 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.8.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.8.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 15130380 SHA1: 570b529a10784fc16bb0339e6d37408adf9cd31d SHA256: 1cccd3100155275293ae5d4ea0a1a1068f5de69e71732220f144acce26327a3c SHA512: 19ff96619945d907e509803b85ecf21750ffa4ae033045272feb43c183ab180d0033b98cf47c18804e448f01bc1928e3b833c61c98446dbe6be31fb9ea6b059d </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.8.zip">https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.8.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 25134315 SHA1: c80bf2e90b3bbfbedc9c8b65d401ce4bd0ed4263 SHA256: c8ca517937c05e03ae52c41dad16ccf12ffae323365e73f3720142421f3aa2c7 SHA512: e248bc2a37b32edca0508df3016ac933089170deba6eec5479d8fb45a3d022c4c9532de2b5486863d30233bd276b14335e8d5ee97c371746b26d64f4864e80d3 </code></pre></div> </div> </li> </ul> <h2>Release Comment</h2> <p>Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions.</p> <p>Posted by hsbt on 26 Mar 2025</p> Wed, 26 Mar 2025 04:45:01 +0000 https://www.ruby-lang.org/en/news/2025/03/26/ruby-3-2-8-released/ https://www.ruby-lang.org/en/news/2025/03/26/ruby-3-2-8-released/ <p>Ruby 3.1.7 has been released. This release includes <a href="https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/">CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221 fixes</a> and update bundled REXML and RSS gems.</p> <p>Please see the <a href="https://github.com/ruby/ruby/releases/tag/v3_1_7">GitHub releases</a> for further details.</p> <p>This version is a final release of Ruby 3.1 series. We will not provide any further updates including security fixes for Ruby 3.1 series.</p> <p>We recommend you to upgrade to Ruby 3.3 or 3.4 series.</p> <h2>Download</h2> <ul> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.1/ruby-3.1.7.tar.gz">https://cache.ruby-lang.org/pub/ruby/3.1/ruby-3.1.7.tar.gz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 20811481 SHA1: c2023f05989241d1f21409b980ffbda83b1cbe7b SHA256: 0556acd69f141ddace03fa5dd8d76e7ea0d8f5232edf012429579bcdaab30e7b SHA512: a8432aaeaee4f48027ab30b7870bc61350840761b9d72b0b399d8fdfa96acb3c8f1ebe63663bcd8d835dd89b21128a07ef8f0c0c47eb41b942c169954ccb7edd </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.1/ruby-3.1.7.tar.xz">https://cache.ruby-lang.org/pub/ruby/3.1/ruby-3.1.7.tar.xz</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 15196628 SHA1: 1437e9ec92f2c166f5b04dbb0c21ac299aca0542 SHA256: 658acc455b6bda87ac6cc1380e86552b9c1af87055e7a127589c5bf7ed80b035 SHA512: 44e013f6e8d159a49125d24eaf02f58e02997fcd7bd4f4370250248c2d3264fb45183e33797638a7d9a2907fb48fe1b46f5f45514d60a800f96bce2c10baca82 </code></pre></div> </div> </li> <li> <p><a href="https://cache.ruby-lang.org/pub/ruby/3.1/ruby-3.1.7.zip">https://cache.ruby-lang.org/pub/ruby/3.1/ruby-3.1.7.zip</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SIZE: 25555673 SHA1: c2eeaba7ebdabc84ca7b77a14a1f83b16397c87e SHA256: ab91106d0686cd30c375c309c58a5b96e68ac56e96c453c1d4f3fbb6c548dec7 SHA512: febc49a0350558a8f3ad0d683c94321fc3437201c1adafdaa4e1a454234eef857d324e6ee1f95f5998d96fafce7f3a6c39483b3251a4a9ed4f64d80a1f73964e </code></pre></div> </div> </li> </ul> <h2>Release Comment</h2> <p>Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions.</p> <p>Posted by hsbt on 26 Mar 2025</p> Wed, 26 Mar 2025 04:44:27 +0000 https://www.ruby-lang.org/en/news/2025/03/26/ruby-3-1-7-released/ https://www.ruby-lang.org/en/news/2025/03/26/ruby-3-1-7-released/ <p>We published security advisories for CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221. Please read the details below.</p> <h2>CVE-2025-27219: Denial of Service in <code class="language-plaintext highlighter-rouge">CGI::Cookie.parse</code>.</h2> <p>There is a possibility for DoS by in the cgi gem. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2025-27219">CVE-2025-27219</a>. We recommend upgrading the cgi gem.</p> <h3>Details</h3> <p><code class="language-plaintext highlighter-rouge">CGI::Cookie.parse</code> took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.</p> <p>Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.</p> <h3>Affected versions</h3> <ul> <li>cgi gem versions &lt;= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.</li> </ul> <h3>Credits</h3> <p>Thanks to <a href="https://hackerone.com/lio346">lio346</a> for discovering this issue. Also thanks to <a href="https://github.com/mame">mame</a> for fixing this vulnerability.</p> <h2>CVE-2025-27220: ReDoS in <code class="language-plaintext highlighter-rouge">CGI::Util#escapeElement</code>.</h2> <p>There is a possibility for Regular expression Denial of Service(ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2025-27220">CVE-2025-27220</a>. We recommend upgrading the cgi gem.</p> <h3>Details</h3> <p>The regular expression used in <code class="language-plaintext highlighter-rouge">CGI::Util#escapeElement</code> is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.</p> <p>This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.</p> <h3>Affected versions</h3> <ul> <li>cgi gem versions &lt;= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.</li> </ul> <h3>Credits</h3> <p>Thanks to <a href="https://hackerone.com/svalkanov">svalkanov</a> for discovering this issue. Also thanks to <a href="https://github.com/nobu">nobu</a> for fixing this vulnerability.</p> <h2>CVE-2025-27221: userinfo leakage in <code class="language-plaintext highlighter-rouge">URI#join</code>, <code class="language-plaintext highlighter-rouge">URI#merge</code> and <code class="language-plaintext highlighter-rouge">URI#+</code>.</h2> <p>There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2025-27221">CVE-2025-27221</a>. We recommend upgrading the uri gem.</p> <h3>Details</h3> <p>The methods <code class="language-plaintext highlighter-rouge">URI#join</code>, <code class="language-plaintext highlighter-rouge">URI#merge</code>, and <code class="language-plaintext highlighter-rouge">URI#+</code> retained userinfo, such as <code class="language-plaintext highlighter-rouge">user:password</code>, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.</p> <p>Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.</p> <h3>Affected versions</h3> <ul> <li>uri gem versions &lt; 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.</li> </ul> <h3>Credits</h3> <p>Thanks to <a href="https://hackerone.com/lambdasawa">Tsubasa Irisawa (lambdasawa)</a> for discovering this issue. Also thanks to <a href="https://github.com/nobu">nobu</a> for additional fixes of this vulnerability.</p> <h2>History</h2> <ul> <li>Originally published at 2025-02-26 7:00:00 (UTC)</li> </ul> <p>Posted by hsbt on 26 Feb 2025</p> Wed, 26 Feb 2025 07:00:00 +0000 https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/ https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/