Ruby 2.3.6 & 2.2.9 release, Dynamic type programming language

Ruby 2.3.6 has been released, this version fixes issues:
  • Unsafe Object Deserialization Vulnerability in RubyGems
  • * test/net/ftp/test_ftp.rb (process_port_or_eprt): merge a part of r56973 to pass the test introduced at previous commit.
  • Fix a command injection vulnerability in Net::FTP.
  • webrick: compile RE correctly for beginning and end match Using ^ and $ in regexps means we can accidentally get fooled by “%0a” in HTTP request paths being decoded to newline characters. Use \A and \z to match beginning and end-of-string respectively, instead.
  • webrick: do not hang acceptor on slow TLS connections

    OpenSSL::SSL::SSLSocket#accept may block indefinitely on clients which negotiate the TCP connection, but fail (or are slow) to negotiate the subsequent TLS handshake. This prevents the multi-threaded WEBrick server from accepting other connections.

    Since the TLS handshake (via OpenSSL::SSL::SSLSocket#accept) consists of normal read/write traffic over TCP, handle it in the per-client thread, instead. Furthermore, using non-blocking accept() is useful for non-TLS sockets anyways because spurious wakeups are possible from select(2).

  • More


Ruby 2.2.9 has been released. This release contains more than one security fix:
Ruby 2.2 is now in the security maintenance phase until the end of March 2018, Ruby 2.2 maintenance will end.


Leave a Reply

Your email address will not be published. Required fields are marked *