Releases of Ruby stable versions (2019-08-28) (#2125)

* Release 2.6.4, 2.5.6 and 2.4.7

* Multiple jQuery vulnerabilities in RDoc

Author: unak

_data/downloads.yml

@@ -8,13 +8,13 @@ preview:
 
 stable:
 
-  - 2.6.3
-  - 2.5.5
+  - 2.6.4
+  - 2.5.6
 
 # optional
 security_maintenance:
 
-  - 2.4.6
+  - 2.4.7
 
 # optional
 eol:

_data/releases.yml

@@ -37,6 +37,20 @@
 
 # 2.6 series
 
+- version: 2.6.4
+  date: 2019-08-28
+  post: /en/news/2019/08/28/ruby-2-6-4-released/
+  url:
+    gz:  https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.gz
+    zip: https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.zip
+    bz2: https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.bz2
+    xz:  https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.xz
+  sha256:
+    gz:  4fc1d8ba75505b3797020a6ffc85a8bcff6adc4dabae343b6572bf281ee17937
+    zip: 8446eaaa633a8d55146df0874154b8eb1e5ea5a000d803503d83fd67d9e9372c
+    bz2: fa1ecc67b99fa13201499002669412eae7cfbe2c30c4f1f4526e8491edfc5fa7
+    xz:  df593cd4c017de19adf5d0154b8391bb057cef1b72ecdd4a8ee30d3235c65f09
+
 - version: 2.6.3
   date: 2019-04-17
   post: /en/news/2019/04/17/ruby-2-6-3-released/
@@ -165,6 +179,20 @@
 
 # 2.5 series
 
+- version: 2.5.6
+  date: 2019-08-28
+  post: /en/news/2019/08/28/ruby-2-5-6-released/
+  url:
+    bz2: https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.bz2
+    gz:  https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.gz
+    xz:  https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.xz
+    zip: https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.zip
+  sha256:
+    bz2: 24fc2a417e71150cd2229ec204afc8f467ebb15a8e295aab5d4bceebfb05e18d
+    gz:  1d7ed06c673020cd12a737ed686470552e8e99d72b82cd3c26daa3115c36bea7
+    xz:  7601e4b83f4f17bc1affe091502dd465282ffba0761dea57c071ead21b132cee
+    zip: c86b0a9bfe47df5639cf134eabd3ebc2711794226ccb02e22094e46aa3e887f4
+
 - version: 2.5.5
   date: 2019-03-15
   post: /en/news/2019/03/15/ruby-2-5-5-released/
@@ -279,6 +307,20 @@
 
 # 2.4 series
 
+- version: 2.4.7
+  date: 2019-08-28
+  post: /en/news/2019/08/28/ruby-2-4-7-released/
+  url:
+    bz2: https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.bz2
+    gz:  https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.gz
+    xz:  https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.xz
+    zip: https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.zip
+  sha256:
+    bz2: c10d6ba6c890aacdf27b733e96ec3859c3ff33bfebb9b6dc8e96879636be7bf5
+    gz:  cd6efc720ca6a622745e2bac79f45e6cd63ab0f5a53ad7eb881545f58ff38b89
+    xz:  a249193c7e79b891a4783f951cad8160fa5fe985c385b4628db8e9913bff1f98
+    zip: 1016797925e55c78d9c15633da8ddbd19daed2993a99d35377d2a16c3175cfe5
+
 - version: 2.4.6
   date: 2019-04-01
   post: /en/news/2019/04/01/ruby-2-4-6-released/

en/news/_posts/2019-08-28-multiple-jquery-vulnerabilities-in-rdoc.md

@@ -0,0 +1,75 @@
+---
+layout: news_post
+title: "Multiple jQuery vulnerabilities in RDoc"
+author: "aycabta"
+translator:
+date: 2019-08-28 09:00:00 +0000
+tags: security
+lang: en
+---
+
+
+There are multiple vulnerabilities about Cross-Site Scripting (XSS) in jQuery that is contained by RDoc bundled with Ruby.
+All ruby users are recommended to update ruby to newer version which includes security-fixed RDoc.
+If you are publishing RDoc documentation generated by rdoc, you are recommended to re-generate it with security-fixed RDoc.
+
+## Details
+
+The following vulnerabilities have been reported.
+
+* [CVE-2012-6708](https://nvd.nist.gov/vuln/detail/CVE-2012-6708)
+* [CVE-2015-9251](https://nvd.nist.gov/vuln/detail/CVE-2015-9251)
+
+It is strongly recommended for all ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible.
+After that, you should re-generate RDoc documentation.
+
+## Affected Versions
+
+* Ruby 2.3 series: all
+* Ruby 2.4 series: 2.4.6 and earlier
+* Ruby 2.5 series: 2.5.5 and earlier
+* Ruby 2.6 series: 2.6.3 and earlier
+* prior to master commit f308ab2131ee675000926540cbb8c13c91dc3be5
+
+## Workarounds
+
+In principle, you should upgrade your Ruby installation to the latest version.
+RDoc 6.1.2 or later includes the fix for the vulnerabilities, so upgrade RDoc to the latest version if you can’t upgrade Ruby itself.
+
+```
+gem install rdoc -f
+```
+
+At this time, the following message will be displayed. Every time you get `Overwrite the executable? [YN]`, enter `y` and confirm with Enter to continue the update.
+
+```
+Updating installed gems
+Updating rdoc
+Fetching: rdoc-6.1.1.gem (100%)
+rdoc's executable "rdoc" conflicts with /home/aycabta/.rbenv/versions/2.5.3/bin/rdoc
+Overwrite the executable? [yN]  y
+rdoc's executable "ri" conflicts with /home/aycabta/.rbenv/versions/2.5.3/bin/ri
+Overwrite the executable? [yN]  y
+Successfully installed rdoc-6.1.1
+Parsing documentation for rdoc-6.1.1
+Installing ri documentation for rdoc-6.1.1
+Installing darkfish documentation for rdoc-6.1.1
+Done installing documentation for rdoc after 6 seconds
+Parsing documentation for rdoc-6.1.1
+Done installing documentation for rdoc after 3 seconds
+Gems updated: rdoc
+```
+
+Regarding the development version (master branch), update to HEAD.
+
+RDoc is a static documentation generation tool.
+Patching the library itself is insufficient to correct this exploit.
+Those hosting rdoc documentation will need to re-generate it with security-fixed RDoc.
+
+## Credits
+
+Thanks to [Chris Seaton](https://hackerone.com/chrisseaton) for reporting the issue.
+
+## History
+
+* Originally published at 2019-08-28 09:00:00 UTC

en/news/_posts/2019-08-28-ruby-2-4-7-released.md

@@ -0,0 +1,54 @@
+---
+layout: news_post
+title: "Ruby 2.4.7 Released"
+author: "usa"
+translator:
+date: 2019-08-28 09:00:00 +0000
+lang: en
+---
+
+Ruby 2.4.7 has been released.
+
+This release includes a security fix.
+Please check the topics below for details.
+
+* [Multiple jQuery vulnerabilities in RDoc](/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/)
+
+Ruby 2.4 is now under the state of the security maintenance phase, until
+the end of March of 2020.  After that date, maintenance of Ruby 2.4
+will be ended. We recommend you start planning the migration to newer
+versions of Ruby, such as 2.6 or 2.5.
+
+## Download
+
+* <https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.bz2>
+
+      SIZE:   12826941 bytes
+      SHA1:   9eac11cd50a2c11ff310e88087f25a0ceb5d0994
+      SHA256: c10d6ba6c890aacdf27b733e96ec3859c3ff33bfebb9b6dc8e96879636be7bf5
+      SHA512: 2665bca5f55d4b37f100eec0e2e632d41158139b85fcb8d5806c6dc1699e64194f17b9fe757b5afd6aa2c6e7ccabba8710a9aa8182a2d697add11f2b76cf6958
+
+* <https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.gz>
+
+      SIZE:   16036496 bytes
+      SHA1:   607384450348bd87028cd8d1ebf09f21103d0cd2
+      SHA256: cd6efc720ca6a622745e2bac79f45e6cd63ab0f5a53ad7eb881545f58ff38b89
+      SHA512: 2fbada1cf92dc3b1cbdaf05186ff2e5d8e0ce4ac9dc736148116e365bec6d557a2115838404c982b527adbb27677340acfbbb7c873004f0cb4be8a07857e6473
+
+* <https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.xz>
+
+      SIZE:   10118948 bytes
+      SHA1:   6ed0e943bfcbf181384b48e7873361f1acaf106d
+      SHA256: a249193c7e79b891a4783f951cad8160fa5fe985c385b4628db8e9913bff1f98
+      SHA512: df637c5803ddd83f759e9c24b0e7ca1f6cae7c7b353409583d92dbffece0d9d02b48905d6552327a1522a4a37d4e2d22c6c11bd991383835be35e2f31739d649
+
+* <https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.zip>
+
+      SIZE:   17659539 bytes
+      SHA1:   3f991d6b5296e9d0df405033e336bb973d418354
+      SHA256: 1016797925e55c78d9c15633da8ddbd19daed2993a99d35377d2a16c3175cfe5
+      SHA512: 1bddd5616edb1a671224bc1c22cc3ac6f70e96e41cb2937efb437e8920fe09ce2ef0f29c591499d3682ac547e1d3eb7474f89ff86a3834d25724329e4927ed76
+
+## Release Comment
+
+Thanks to everyone who helped with this release, especially, to reporters of the vulnerability.

en/news/_posts/2019-08-28-ruby-2-5-6-released.md

@@ -0,0 +1,53 @@
+---
+layout: news_post
+title: "Ruby 2.5.6 Released"
+author: "usa"
+translator:
+date: 2019-08-28 09:00:00 +0000
+lang: en
+---
+
+Ruby 2.5.6 has been released.
+
+This release includes about 40 bug fixes after the previous release, and also includes a security fix.
+Please check the topics below for details.
+
+* [Multiple jQuery vulnerabilities in RDoc](/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/)
+
+See the [commit log](https://github.com/ruby/ruby/compare/v2_5_5...v2_5_6) for details.
+
+## Download
+
+* <https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.bz2>
+
+      SIZE:   14073430 bytes
+      SHA1:   a1b497237770d2a0d1386408fc264ad16f3efccf
+      SHA256: 24fc2a417e71150cd2229ec204afc8f467ebb15a8e295aab5d4bceebfb05e18d
+      SHA512: e4511d42d19a7bb39ea79f66bb4eca54b63c2a9d27addc035d6d670c1e59ee48a0c6e9c6bc7d082d1f1114b0668831dce3b7422034517f3c4a06ced0e47a7914
+
+* <https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.gz>
+
+      SIZE:   17684288 bytes
+      SHA1:   d2dd34da5f3b63a0075e50133f60eb35d71b7543
+      SHA256: 1d7ed06c673020cd12a737ed686470552e8e99d72b82cd3c26daa3115c36bea7
+      SHA512: dc34243129a40b4b16fe171d70bcbdac255819868c608f3ca9f2866124fd6cfde0f3990d5e08a42752427d9066981ca14a634679b9bed5bca9f349a8526d0f35
+
+* <https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.xz>
+
+      SIZE:   11323612 bytes
+      SHA1:   5008b35d386c4b663b7956a0790b6aa7ae5dc9a9
+      SHA256: 7601e4b83f4f17bc1affe091502dd465282ffba0761dea57c071ead21b132cee
+      SHA512: 4fe5f8bad5d320f8f17b02ce15afee341e7b0074efcfd98d8944e0cb7c448e0660c4553dd5c0328ee3b49fea3247642f85c60bdce431ed57f58b6326dfd48ee1
+
+* <https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.zip>
+
+      SIZE:   21263348 bytes
+      SHA1:   4a3859319dd9f1f4d43e2a2bf874ca8233d39b15
+      SHA256: c86b0a9bfe47df5639cf134eabd3ebc2711794226ccb02e22094e46aa3e887f4
+      SHA512: 8aa96c4e6692ed8c9f8fe4ceb2a91829bb5fa98ef53a4bc85f3a3d0cd66d60bb80985359bd9f7020de7d1cc39c7223559aa20dfdcc01d890624b71b935c6f8da
+
+## Release Comment
+
+Thanks to everyone who helped with this release.
+
+The maintenance of Ruby 2.5, including this release, is based on the “Agreement for the Ruby stable version” of the Ruby Association.

en/news/_posts/2019-08-28-ruby-2-6-4-released.md

@@ -0,0 +1,53 @@
+---
+layout: news_post
+title: "Ruby 2.6.4 Released"
+author: "nagachika"
+translator:
+date: 2019-08-28 09:00:00 +0000
+lang: en
+---
+
+Ruby 2.6.4 has been released.
+
+This release includes a security fix of rdoc.
+Please check the topics below for details.
+
+* [Multiple jQuery vulnerabilities in RDoc](/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/)
+
+See the [commit logs](https://github.com/ruby/ruby/compare/v2_6_3...v2_6_4) for changes in detail.
+
+## Download
+
+* <https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.bz2>
+
+      SIZE:   14426299 bytes
+      SHA1:   fa1c7b7f91edb92de449cb1ae665901ba51a8b81
+      SHA256: fa1ecc67b99fa13201499002669412eae7cfbe2c30c4f1f4526e8491edfc5fa7
+      SHA512: a9fa2f51fb5f86cd8dcaa0925fe6f13d4f19f110b5d4c5fd251f199d16aaf920db39ad3bb50460eb94ab8d471ab2ac8bb54daea4a3bb080eaf45250aac3437fe
+
+* <https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.gz>
+
+      SIZE:   16503137 bytes
+      SHA1:   2eaddc428cb5d210cfc256a7e6947196ed24355b
+      SHA256: 4fc1d8ba75505b3797020a6ffc85a8bcff6adc4dabae343b6572bf281ee17937
+      SHA512: 3dad0d98695e10ece015933e96114ffd9a10d3c59d1ead8a9ab041df113aabee3f4100aa7ffe7ef5c43b62ac3c7506c3f3ceeb8828b2a800b6d0f4119d5bf926
+
+* <https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.xz>
+
+      SIZE:   11727940 bytes
+      SHA1:   6ef7d60b8aaa5efb04de2eb4b682f91bc0ab3910
+      SHA256: df593cd4c017de19adf5d0154b8391bb057cef1b72ecdd4a8ee30d3235c65f09
+      SHA512: 930a4162fdb008d2446247908c14269fd13db4dc80bd2bb201a65a69c03f5933f97b4c5079ccd2a12db4934ff97b2debaa10a6c6f5c3060e55873f4397747eaa
+
+* <https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.zip>
+
+      SIZE:   19922060 bytes
+      SHA1:   3e1d98afc7804a291abe42f0b8e2e98219e41ca3
+      SHA256: 8446eaaa633a8d55146df0874154b8eb1e5ea5a000d803503d83fd67d9e9372c
+      SHA512: 5696f2921b8488bde42536dd23d933c8a5ab9ce33632760d217d79567324c4a20f8007d4815f33e56c0a764d1ca372b40c41a5937f9938bb1d63ea078d10d657
+
+
+## Release Comment
+
+Many committers, developers, and users who provided bug reports helped us make this release.
+Thanks for their contributions.

ja/news/_posts/2019-08-28-multiple-jquery-vulnerabilities-in-rdoc.md

@@ -0,0 +1,75 @@
+---
+layout: news_post
+title: "RDoc における jQuery の脆弱性について"
+author: "aycabta"
+translator:
+date: 2019-08-28 09:00:00 +0000
+tags: security
+lang: ja
+---
+
+Ruby の標準添付ライブラリである RDoc に、jQuery に関するクロスサイトスクリプティング（XSS）の脆弱性が発見されました。
+全ての ruby ユーザーは、この問題に対するセキュリティフィックスが含まれた RDoc をバンドルするバージョンに更新することが推奨されます。
+また、現在、RDoc が生成した HTML ドキュメントを公開している場合は、セキュリティフィックスが含まれた RDoc を使用して HTML ドキュメントを再生成する必要があります。
+
+## 詳細
+
+以下の脆弱性が報告されています。
+
+* [CVE-2012-6708](https://nvd.nist.gov/vuln/detail/CVE-2012-6708)
+* [CVE-2015-9251](https://nvd.nist.gov/vuln/detail/CVE-2015-9251)
+
+この問題の影響を受けるバージョンの Ruby のユーザーは、最新の Ruby に更新するか、下記の回避策を取ってください。
+
+また、現在、RDoc が生成した HTML ドキュメントには、XSS 脆弱性が存在している可能性があります。
+そのため、これらの HTML ドキュメントを公開している場合は、その HTML ドキュメント自体を再生する必要があります。
+
+## 影響を受けるバージョン
+
+* Ruby 2.3 系列の全てのリリース
+* Ruby 2.4.6 以前の全ての Ruby 2.4 系列
+* Ruby 2.5.5 以前の全ての Ruby 2.5 系列
+* Ruby 2.6.3 以前の全ての Ruby 2.6 系列
+* commit xxxx より前の開発版
+
+## 回避策
+
+原則としては、Ruby 自体を最新のリリースに更新してください。それができない場合は、以下のコマンドを実行することにより、RDoc を最新版 (6.1.2 以降) に更新することによって、各脆弱性が修正されます。
+
+```
+gem install rdoc -f
+```
+
+その際に以下のようなメッセージが出るので、 `Overwrite the executable? [yN]` と出る度に随時 `y` を入力し Enter で確定することで更新を続行してください。
+
+```
+Updating installed gems
+Updating rdoc
+Fetching: rdoc-6.1.1.gem (100%)
+rdoc's executable "rdoc" conflicts with /home/aycabta/.rbenv/versions/2.5.3/bin/rdoc
+Overwrite the executable? [yN]  y
+rdoc's executable "ri" conflicts with /home/aycabta/.rbenv/versions/2.5.3/bin/ri
+Overwrite the executable? [yN]  y
+Successfully installed rdoc-6.1.1
+Parsing documentation for rdoc-6.1.1
+Installing ri documentation for rdoc-6.1.1
+Installing darkfish documentation for rdoc-6.1.1
+Done installing documentation for rdoc after 6 seconds
+Parsing documentation for rdoc-6.1.1
+Done installing documentation for rdoc after 3 seconds
+Gems updated: rdoc
+```
+
+開発版については、HEAD に更新してください。
+
+なお、RDoc は静的ドキュメント生成ツールです。
+したがって、RDoc 自体を修正しても、既に生成済みの HTML ドキュメントの脆弱性は解消されません。
+これらの HTML ドキュメントを公開している場合は、以上いずれかの対策を行った上で、該当の HTML ドキュメントを再生成してください。
+
+## クレジット
+
+この脆弱性情報は、[Chris Seaton](https://hackerone.com/chrisseaton) 氏によって報告されました。
+
+## 更新履歴
+
+* 2019-08-28 09:00:00 (JST) 初版