This release is a re-package of 2.4.8 because the previous Ruby 2.4.8
release tarball does not install.
(See [Bug #16197] in detail.)
There are no essential change except their version numbers between 2.4.8 and 2.4.9.
Ruby 2.4 is now under the state of the security maintenance phase, until
the end of March of 2020. After that date, maintenance of Ruby 2.4
will be ended. We recommend you start planning the migration to newer
versions of Ruby, such as 2.6 or 2.5.
Regular expression denial of service vulnerability of WEBrick’s Digest authentication module was found. An attacker can exploit this vulnerability to cause an effective denial of service against a WEBrick service.
Ruby 2.4 is now under the state of the security maintenance phase, until
the end of March of 2020. After that date, maintenance of Ruby 2.4
will be ended. We recommend you start planning the migration to newer
versions of Ruby, such as 2.6 or 2.5.
A NUL injection vulnerability of Ruby built-in methods (File.fnmatch and File.fnmatch?) was found. An attacker who has the control of the path pattern parameter could exploit this vulnerability to make path matching pass despite the intention of the program author.
CVE-2019-15845 has been assigned to this vulnerability.
Details
Built-in methods File.fnmatch and its alias File.fnmatch? accept the path pattern as their first parameter. When the pattern contains NUL character (\0), the methods recognize that the path pattern ends immediately before the NUL byte. Therefore, a script that uses an external input as the pattern argument, an attacker can make it wrongly match a pathname that is the second parameter.
All users running any affected releases should upgrade as soon as possible.
Affected Versions
All releases that are Ruby 2.3 or earlier
Ruby 2.4 series: Ruby 2.4.7 or earlier
Ruby 2.5 series: Ruby 2.5.6 or earlier
Ruby 2.6 series: Ruby 2.6.4 or earlier
Ruby 2.7.0-preview1
prior to master commit a0a2640b398cffd351f87d3f6243103add66575b
There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2019-16254.
Details
If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.
This is the same issue as CVE-2017-17742. The previous fix was incomplete, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
All users running an affected release should upgrade immediately.
Affected Versions
All releases that are Ruby 2.3 or earlier
Ruby 2.4 series: Ruby 2.4.7 or earlier
Ruby 2.5 series: Ruby 2.5.6 or earlier
Ruby 2.6 series: Ruby 2.6.4 or earlier
Ruby 2.7.0-preview1
prior to master commit 3ce238b5f9795581eb84114dcfbdf4aa086bfecc
A code injection vulnerability of Shell#[] and Shell#test in a standard library (lib/shell.rb) was found. The vulnerability has been assigned the CVE identifier CVE-2019-16255.
Details
Shell#[] and its alias Shell#test defined in lib/shell.rb allow code injection if the first argument (aka the “command” argument) is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
Note that passing untrusted data to methods of Shell is dangerous in general. Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#[] is considered file testing.
All users running an affected release should upgrade immediately.
Ruby 2.4 is now under the state of the security maintenance phase, until
the end of March of 2020. After that date, maintenance of Ruby 2.4
will be ended. We recommend you start planning the migration to newer
versions of Ruby, such as 2.6 or 2.5.
There are multiple vulnerabilities about Cross-Site Scripting (XSS) in jQuery that is contained by RDoc bundled with Ruby.
All ruby users are recommended to update ruby to newer version which includes security-fixed RDoc.
If you are publishing RDoc documentation generated by rdoc, you are recommended to re-generate it with security-fixed RDoc.
It is strongly recommended for all ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible.
After that, you should re-generate RDoc documentation.
Affected Versions
Ruby 2.3 series: all
Ruby 2.4 series: 2.4.6 and earlier
Ruby 2.5 series: 2.5.5 and earlier
Ruby 2.6 series: 2.6.3 and earlier
prior to master commit f308ab2131ee675000926540cbb8c13c91dc3be5
Workarounds
In principle, you should upgrade your Ruby installation to the latest version.
RDoc 6.1.2 or later includes the fix for the vulnerabilities, so upgrade RDoc to the latest version if you can’t upgrade Ruby itself.
gem install rdoc -f
At this time, the following message will be displayed. Every time you get Overwrite the executable? [YN], enter y and confirm with Enter to continue the update.
Updating installed gems
Updating rdoc
Fetching: rdoc-6.1.1.gem (100%)
rdoc's executable "rdoc" conflicts with /home/aycabta/.rbenv/versions/2.5.3/bin/rdoc
Overwrite the executable? [yN] y
rdoc's executable "ri" conflicts with /home/aycabta/.rbenv/versions/2.5.3/bin/ri
Overwrite the executable? [yN] y
Successfully installed rdoc-6.1.1
Parsing documentation for rdoc-6.1.1
Installing ri documentation for rdoc-6.1.1
Installing darkfish documentation for rdoc-6.1.1
Done installing documentation for rdoc after 6 seconds
Parsing documentation for rdoc-6.1.1
Done installing documentation for rdoc after 3 seconds
Gems updated: rdoc
Regarding the development version (master branch), update to HEAD.
RDoc is a static documentation generation tool.
Patching the library itself is insufficient to correct this exploit.
Those hosting rdoc documentation will need to re-generate it with security-fixed RDoc.
We are pleased to announce the release of Ruby 2.7.0-preview1.
A preview version is released to gather feedback for the final release planed to release on December. It introduces a number of new features and performance improvements, most notably:
Compaction GC
Pattern Matching
REPL improvement
Compaction GC
This release introduces Compaction GC which can defragment a fragmented memory space.
Some multithread Ruby programs may cause memory fragmentation, leading to high memory usage and degraded speed.
The GC.compact method is introduced for compacting the heap. This function compacts live objects in the heap so that fewer pages may be used, and the heap may be more CoW friendly. #15626
Pattern Matching [Experimental]
Pattern matching, widely used feature in functional programming languages, is introduced as an experimental feature. #14912
It can traverse a given object and assign its value if it matches a pattern.
case JSON.parse('{...}', symbolize_names: true)
in {name: "Alice", children: [{name: "Bob", age: age}]}
p age
...
end
irb, bundled interactive environment (REPL; Read-Eval-Print-Loop), now supports multi-line editing. It’s powered by reline, readline compatible pure Ruby implementation.
It also provides rdoc integration. In irb you can display the reference for a given class, module, or method. #14683, #14787, #14918
Besides, source lines shown at binding.irb and inspect results for core-class objects are now colorized.
Other Notable New Features
A method reference operator, .:, is introduced as an experimental feature. #12125, #13581
Numbered parameter as the default block parameter is introduced as an experimental feature. #4475
A beginless range is experimentally introduced. It might not be as useful
as an endless range, but would be good for DSL purpose. #14799
ary[..3] # identical to ary[0..3]
rel.where(sales: ..100)
Enumerable#tally is added. It counts the occurrence of each element.
JIT-ed code is recompiled to less-optimized code when an optimization assumption is invalidated.
Method inlining is performed when a method is considered as pure. This optimization is still experimental and many methods are NOT considered as pure yet.
Default value of --jit-min-calls is changed from 5 to 10,000
Default value of --jit-max-cache is changed from 1,000 to 100
Other notable changes since 2.6
Proc.new and proc with no block in a method called with a block is warned now.
lambda with no block in a method called with a block errs.
Update Unicode version and Emoji version from 11.0.0 to 12.0.0. [Feature #15321]
Update Unicode version to 12.1.0, adding support for U+32FF SQUARE ERA NAME REIWA. [Feature #15195]
Date.jisx0301, Date#jisx0301, and Date.parse provisionally support the new Japanese era as an informal extension, until the new JIS X 0301 is issued. [Feature #15742]
Ruby was first developed by Matz (Yukihiro Matsumoto) in 1993, and is now developed as Open Source. It runs on multiple platforms and is used all over the world especially for web development.
Today, the canonical repository of the Ruby programming language was moved to Git from Subversion.
The web interface for the new repository is https://git.ruby-lang.org, and is provided by cgit. We can keep the commit hash from the contributor on the Ruby repository directly.
Development policy
We don’t use a topic branch on cgit.
The GitHub repository will still be just a mirror. We don’t use the “Merge pull request” feature.
The ruby_2_4, ruby_2_5, and ruby_2_6 branches will continue to use SVN. We don’t push anything to these branches on cgit.
Starting with ruby_2_7, we’ll use cgit to develop stable branches.
We don’t use merge commits.
Special Thanks
k0kubun
k0kubun aggressively develops toolchains related to release and backport workflows and also updates the hook script for git.
naruse
naruse updates the feature changes for Ruby CI and Redmine (bugs.ruby-lang.org).
mame
mame creates the commit notification script for slack.
This release includes about 20 bug fixes after the previous release, and also includes several security fixes.
Please check the topics below for details.
After this release, we will end the normal maintenance phase of Ruby 2.4,
and start the security maintenance phase of it.
This means that after the release of 2.4.6 we will never backport any bug fixes
to 2.4 except security fixes.
The term of the security maintenance phase is scheduled for 1 year.
By the end of this term, official support of Ruby 2.4 will be over.
Therefore, we recommend that you start planning to upgrade to Ruby 2.6 or 2.5.
We announce that all support of the Ruby 2.3 series has ended.
After the release of Ruby 2.3.7 on March 28, 2018,
the support of the Ruby 2.3 series was in the security maintenance phase.
Now, after one year has passed, this phase has ended.
Therefore, on March 31, 2019, all support of the Ruby 2.3 series ends.
Security and bug fixes from more recent Ruby versions will no longer be
backported to 2.3. There won’t be any patches of 2.3 either.
We highly recommend that you upgrade to Ruby 2.6 or 2.5 as soon as possible.
About currently supported Ruby versions
Ruby 2.6 series
Currently in normal maintenance phase.
We will backport bug fixes and release with the fixes whenever necessary.
And, if a critical security issue is found, we will release an urgent fix
for it.
Ruby 2.5 series
Currently in normal maintenance phase.
We will backport bug fixes and release with the fixes whenever necessary.
And, if a critical security issue is found, we will release an urgent fix
for it.
Ruby 2.4 series
Currently in security maintenance phase.
We will never backport any bug fixes to 2.4 except security fixes.
If a critical security issue is found, we will release an urgent fix for it.
We are planning to end the support of the Ruby 2.4 series on March 31, 2020.