We have released the StringIO gem version 3.0.1.1 and 3.0.1.2 that have a security fix for a buffer overread vulnerability. This vulnerability has been assigned the CVE identifier CVE-2024-27280. Details An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later. Recommended action We recommend to update the St ..read more

We have released the RDoc gem version 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 that have a security fix for a RCE vulnerability. This vulnerability has been assigned the CVE identifier CVE-2024-27281. Details An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. When loading the documentation cache, object injection and resultant remote code execu ..read more

We are pleased to announce the release of Ruby 3.3.0. Ruby 3.3 adds a new parser named Prism, uses Lrama as a parser generator, adds a new pure-Ruby JIT compiler named RJIT, and many performance improvements especially YJIT. Prism Introduced the Prism parser as a default gem Prism is a portable, error tolerant, and maintainable recursive descent parser for the Ruby language Prism is production ready and actively maintained, you can use it in place of Ripper There is extensive documentation on how to use Prism Prism is both a C library that will be used internally by CRuby and a Ruby gem t ..read more

We are pleased to announce the release of Ruby 3.3.0-rc1. Ruby 3.3 adds a new parser named Prism, uses Lrama as a parser generator, adds a new pure-Ruby JIT compiler named RJIT, and many performance improvements especially YJIT. After the release of RC1, we will avoid introducing ABI incompatibilities wherever possible. If we need to do, we’ll announce it in the release note. Prism Introduced the Prism parser as a default gem Prism is a portable, error tolerant, and maintainable recursive descent parser for the Ruby language Prism is production ready and actively maintained, you can use it ..read more

We are pleased to announce the release of Ruby 3.3.0-preview3. Ruby 3.3 adds a new parser named Prism, uses Lrama as a parser generator, adds a new pure-Ruby JIT compiler named RJIT, and many performance improvements especially YJIT. Prism Introduced the Prism parser as a default gem Prism is a portable, error tolerant, and maintainable recursive descent parser for the Ruby language Prism is production ready and actively maintained, you can use it in place of Ripper There is extensive documentation on how to use Prism Prism is both a C library that will be used internally by CRuby and a R ..read more

We are pleased to announce the release of Ruby 3.3.0-preview2. Ruby 3.3 adds a new pure-Ruby JIT compiler named RJIT, uses Lrama as a parser generator, and many performance improvements especially YJIT. RJIT Introduced a pure-Ruby JIT compiler RJIT and replaced MJIT. RJIT supports only x86_64 architecture on Unix platforms. Unlike MJIT, it doesn’t require a C compiler at runtime. RJIT exists only for experimental purposes. You should keep using YJIT in production. If you are interested in developing JIT for Ruby, please check out k0kubun’s presentation on Day 3 of RubyKaigi. Use Lrama ..read more

We have released the uri gem version 0.12.2, 0.10.3 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-36617. Details A ReDoS issue was discovered in the URI component through 0.12.1 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. The uri gem version 0.12.1 and all versions prior 0.12.1 are vulnerable for this ..read more

We are pleased to announce the release of Ruby 3.3.0-preview1. Ruby 3.3 adds a new pure-Ruby JIT compiler named RJIT, uses Lrama as a parser generator, and many performance improvements especially YJIT. RJIT Introduced a pure-Ruby JIT compiler RJIT and replaced MJIT. RJIT supports only x86_64 architecture on Unix platforms. Unlike MJIT, it doesn’t require a C compiler at runtime. RJIT exists only for experimental purposes. You should keep using YJIT in production. If you are interested in developing JIT for Ruby, please check out k0kubun’s presentation on Day 3 of RubyKaigi. Use Lrama ..read more

Ruby 2.7.8 has been released. This release includes security fixes. Please check the topics below for details. CVE-2023-28755: ReDoS vulnerability in URI CVE-2023-28756: ReDoS vulnerability in Time This release also includes some build problem fixes. See the GitHub releases for further details. After this release, Ruby 2.7 reaches EOL. In other words, this is expected to be the last release of Ruby 2.7 series. We will not release Ruby 2.7.9 even if a security vulnerability is found (but could release if a severe regression is found). We recommend all Ruby 2.7 users to start migration to Ruby ..read more

Ruby 3.0.6 has been released. This release includes security fixes. Please check the topics below for details. CVE-2023-28755: ReDoS vulnerability in URI CVE-2023-28756: ReDoS vulnerability in Time This release also includes some bug fixes. See the GitHub releases for further details. After this release, we end the normal maintenance phase of Ruby 3.0, and Ruby 3.0 enters the security maintenance phase. This means that we will no longer backport any bug fixes to Ruby 3.0 except security fixes. The term of the security maintenance phase is scheduled for a year. Ruby 3.0 reaches EOL and its of ..read more