Skip to content

Releases of Ruby stable versions (2019-08-28) #2125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Aug 28, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions _data/downloads.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@ preview:

stable:

- 2.6.3
- 2.5.5
- 2.6.4
- 2.5.6

# optional
security_maintenance:

- 2.4.6
- 2.4.7

# optional
eol:
Expand Down
42 changes: 42 additions & 0 deletions _data/releases.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,20 @@

# 2.6 series

- version: 2.6.4
date: 2019-08-28
post: /en/news/2019/08/28/ruby-2-6-4-released/
url:
gz: https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.gz
zip: https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.zip
bz2: https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.bz2
xz: https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.xz
sha256:
gz: 4fc1d8ba75505b3797020a6ffc85a8bcff6adc4dabae343b6572bf281ee17937
zip: 8446eaaa633a8d55146df0874154b8eb1e5ea5a000d803503d83fd67d9e9372c
bz2: fa1ecc67b99fa13201499002669412eae7cfbe2c30c4f1f4526e8491edfc5fa7
xz: df593cd4c017de19adf5d0154b8391bb057cef1b72ecdd4a8ee30d3235c65f09

- version: 2.6.3
date: 2019-04-17
post: /en/news/2019/04/17/ruby-2-6-3-released/
Expand Down Expand Up @@ -165,6 +179,20 @@

# 2.5 series

- version: 2.5.6
date: 2019-08-28
post: /en/news/2019/08/28/ruby-2-5-6-released/
url:
bz2: https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.bz2
gz: https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.gz
xz: https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.xz
zip: https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.zip
sha256:
bz2: 24fc2a417e71150cd2229ec204afc8f467ebb15a8e295aab5d4bceebfb05e18d
gz: 1d7ed06c673020cd12a737ed686470552e8e99d72b82cd3c26daa3115c36bea7
xz: 7601e4b83f4f17bc1affe091502dd465282ffba0761dea57c071ead21b132cee
zip: c86b0a9bfe47df5639cf134eabd3ebc2711794226ccb02e22094e46aa3e887f4

- version: 2.5.5
date: 2019-03-15
post: /en/news/2019/03/15/ruby-2-5-5-released/
Expand Down Expand Up @@ -279,6 +307,20 @@

# 2.4 series

- version: 2.4.7
date: 2019-08-28
post: /en/news/2019/08/28/ruby-2-4-7-released/
url:
bz2: https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.bz2
gz: https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.gz
xz: https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.xz
zip: https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.zip
sha256:
bz2: c10d6ba6c890aacdf27b733e96ec3859c3ff33bfebb9b6dc8e96879636be7bf5
gz: cd6efc720ca6a622745e2bac79f45e6cd63ab0f5a53ad7eb881545f58ff38b89
xz: a249193c7e79b891a4783f951cad8160fa5fe985c385b4628db8e9913bff1f98
zip: 1016797925e55c78d9c15633da8ddbd19daed2993a99d35377d2a16c3175cfe5

- version: 2.4.6
date: 2019-04-01
post: /en/news/2019/04/01/ruby-2-4-6-released/
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
---
layout: news_post
title: "Multiple jQuery vulnerabilities in RDoc"
author: "aycabta"
translator:
date: 2019-08-28 09:00:00 +0000
tags: security
lang: en
---


There are multiple vulnerabilities about Cross-Site Scripting (XSS) in jQuery that is contained by RDoc bundled with Ruby.
All ruby users are recommended to update ruby to newer version which includes security-fixed RDoc.
If you are publishing RDoc documentation generated by rdoc, you are recommended to re-generate it with security-fixed RDoc.

## Details

The following vulnerabilities have been reported.

* [CVE-2012-6708](https://nvd.nist.gov/vuln/detail/CVE-2012-6708)
* [CVE-2015-9251](https://nvd.nist.gov/vuln/detail/CVE-2015-9251)

It is strongly recommended for all ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible.
After that, you should re-generate RDoc documentation.

## Affected Versions

* Ruby 2.3 series: all
* Ruby 2.4 series: 2.4.6 and earlier
* Ruby 2.5 series: 2.5.5 and earlier
* Ruby 2.6 series: 2.6.3 and earlier
* prior to master commit f308ab2131ee675000926540cbb8c13c91dc3be5

## Workarounds

In principle, you should upgrade your Ruby installation to the latest version.
RDoc 6.1.2 or later includes the fix for the vulnerabilities, so upgrade RDoc to the latest version if you can’t upgrade Ruby itself.

```
gem install rdoc -f
```

At this time, the following message will be displayed. Every time you get `Overwrite the executable? [YN]`, enter `y` and confirm with Enter to continue the update.

```
Updating installed gems
Updating rdoc
Fetching: rdoc-6.1.1.gem (100%)
rdoc's executable "rdoc" conflicts with /home/aycabta/.rbenv/versions/2.5.3/bin/rdoc
Overwrite the executable? [yN] y
rdoc's executable "ri" conflicts with /home/aycabta/.rbenv/versions/2.5.3/bin/ri
Overwrite the executable? [yN] y
Successfully installed rdoc-6.1.1
Parsing documentation for rdoc-6.1.1
Installing ri documentation for rdoc-6.1.1
Installing darkfish documentation for rdoc-6.1.1
Done installing documentation for rdoc after 6 seconds
Parsing documentation for rdoc-6.1.1
Done installing documentation for rdoc after 3 seconds
Gems updated: rdoc
```

Regarding the development version (master branch), update to HEAD.

RDoc is a static documentation generation tool.
Patching the library itself is insufficient to correct this exploit.
Those hosting rdoc documentation will need to re-generate it with security-fixed RDoc.

## Credits

Thanks to [Chris Seaton](https://hackerone.com/chrisseaton) for reporting the issue.

## History

* Originally published at 2019-08-28 09:00:00 UTC
54 changes: 54 additions & 0 deletions en/news/_posts/2019-08-28-ruby-2-4-7-released.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
layout: news_post
title: "Ruby 2.4.7 Released"
author: "usa"
translator:
date: 2019-08-28 09:00:00 +0000
lang: en
---

Ruby 2.4.7 has been released.

This release includes a security fix.
Please check the topics below for details.

* [Multiple jQuery vulnerabilities in RDoc](/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/)

Ruby 2.4 is now under the state of the security maintenance phase, until
the end of March of 2020. After that date, maintenance of Ruby 2.4
will be ended. We recommend you start planning the migration to newer
versions of Ruby, such as 2.6 or 2.5.

## Download

* <https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.bz2>

SIZE: 12826941 bytes
SHA1: 9eac11cd50a2c11ff310e88087f25a0ceb5d0994
SHA256: c10d6ba6c890aacdf27b733e96ec3859c3ff33bfebb9b6dc8e96879636be7bf5
SHA512: 2665bca5f55d4b37f100eec0e2e632d41158139b85fcb8d5806c6dc1699e64194f17b9fe757b5afd6aa2c6e7ccabba8710a9aa8182a2d697add11f2b76cf6958

* <https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.gz>

SIZE: 16036496 bytes
SHA1: 607384450348bd87028cd8d1ebf09f21103d0cd2
SHA256: cd6efc720ca6a622745e2bac79f45e6cd63ab0f5a53ad7eb881545f58ff38b89
SHA512: 2fbada1cf92dc3b1cbdaf05186ff2e5d8e0ce4ac9dc736148116e365bec6d557a2115838404c982b527adbb27677340acfbbb7c873004f0cb4be8a07857e6473

* <https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.tar.xz>

SIZE: 10118948 bytes
SHA1: 6ed0e943bfcbf181384b48e7873361f1acaf106d
SHA256: a249193c7e79b891a4783f951cad8160fa5fe985c385b4628db8e9913bff1f98
SHA512: df637c5803ddd83f759e9c24b0e7ca1f6cae7c7b353409583d92dbffece0d9d02b48905d6552327a1522a4a37d4e2d22c6c11bd991383835be35e2f31739d649

* <https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.7.zip>

SIZE: 17659539 bytes
SHA1: 3f991d6b5296e9d0df405033e336bb973d418354
SHA256: 1016797925e55c78d9c15633da8ddbd19daed2993a99d35377d2a16c3175cfe5
SHA512: 1bddd5616edb1a671224bc1c22cc3ac6f70e96e41cb2937efb437e8920fe09ce2ef0f29c591499d3682ac547e1d3eb7474f89ff86a3834d25724329e4927ed76

## Release Comment

Thanks to everyone who helped with this release, especially, to reporters of the vulnerability.
53 changes: 53 additions & 0 deletions en/news/_posts/2019-08-28-ruby-2-5-6-released.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
layout: news_post
title: "Ruby 2.5.6 Released"
author: "usa"
translator:
date: 2019-08-28 09:00:00 +0000
lang: en
---

Ruby 2.5.6 has been released.

This release includes about 40 bug fixes after the previous release, and also includes a security fix.
Please check the topics below for details.

* [Multiple jQuery vulnerabilities in RDoc](/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/)

See the [commit log](https://github.com/ruby/ruby/compare/v2_5_5...v2_5_6) for details.

## Download

* <https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.bz2>

SIZE: 14073430 bytes
SHA1: a1b497237770d2a0d1386408fc264ad16f3efccf
SHA256: 24fc2a417e71150cd2229ec204afc8f467ebb15a8e295aab5d4bceebfb05e18d
SHA512: e4511d42d19a7bb39ea79f66bb4eca54b63c2a9d27addc035d6d670c1e59ee48a0c6e9c6bc7d082d1f1114b0668831dce3b7422034517f3c4a06ced0e47a7914

* <https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.gz>

SIZE: 17684288 bytes
SHA1: d2dd34da5f3b63a0075e50133f60eb35d71b7543
SHA256: 1d7ed06c673020cd12a737ed686470552e8e99d72b82cd3c26daa3115c36bea7
SHA512: dc34243129a40b4b16fe171d70bcbdac255819868c608f3ca9f2866124fd6cfde0f3990d5e08a42752427d9066981ca14a634679b9bed5bca9f349a8526d0f35

* <https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.tar.xz>

SIZE: 11323612 bytes
SHA1: 5008b35d386c4b663b7956a0790b6aa7ae5dc9a9
SHA256: 7601e4b83f4f17bc1affe091502dd465282ffba0761dea57c071ead21b132cee
SHA512: 4fe5f8bad5d320f8f17b02ce15afee341e7b0074efcfd98d8944e0cb7c448e0660c4553dd5c0328ee3b49fea3247642f85c60bdce431ed57f58b6326dfd48ee1

* <https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.6.zip>

SIZE: 21263348 bytes
SHA1: 4a3859319dd9f1f4d43e2a2bf874ca8233d39b15
SHA256: c86b0a9bfe47df5639cf134eabd3ebc2711794226ccb02e22094e46aa3e887f4
SHA512: 8aa96c4e6692ed8c9f8fe4ceb2a91829bb5fa98ef53a4bc85f3a3d0cd66d60bb80985359bd9f7020de7d1cc39c7223559aa20dfdcc01d890624b71b935c6f8da

## Release Comment

Thanks to everyone who helped with this release.

The maintenance of Ruby 2.5, including this release, is based on the “Agreement for the Ruby stable version” of the Ruby Association.
53 changes: 53 additions & 0 deletions en/news/_posts/2019-08-28-ruby-2-6-4-released.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
layout: news_post
title: "Ruby 2.6.4 Released"
author: "nagachika"
translator:
date: 2019-08-28 09:00:00 +0000
lang: en
---

Ruby 2.6.4 has been released.

This release includes a security fix of rdoc.
Please check the topics below for details.

* [Multiple jQuery vulnerabilities in RDoc](/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/)

See the [commit logs](https://github.com/ruby/ruby/compare/v2_6_3...v2_6_4) for changes in detail.

## Download

* <https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.bz2>

SIZE: 14426299 bytes
SHA1: fa1c7b7f91edb92de449cb1ae665901ba51a8b81
SHA256: fa1ecc67b99fa13201499002669412eae7cfbe2c30c4f1f4526e8491edfc5fa7
SHA512: a9fa2f51fb5f86cd8dcaa0925fe6f13d4f19f110b5d4c5fd251f199d16aaf920db39ad3bb50460eb94ab8d471ab2ac8bb54daea4a3bb080eaf45250aac3437fe

* <https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.gz>

SIZE: 16503137 bytes
SHA1: 2eaddc428cb5d210cfc256a7e6947196ed24355b
SHA256: 4fc1d8ba75505b3797020a6ffc85a8bcff6adc4dabae343b6572bf281ee17937
SHA512: 3dad0d98695e10ece015933e96114ffd9a10d3c59d1ead8a9ab041df113aabee3f4100aa7ffe7ef5c43b62ac3c7506c3f3ceeb8828b2a800b6d0f4119d5bf926

* <https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.tar.xz>

SIZE: 11727940 bytes
SHA1: 6ef7d60b8aaa5efb04de2eb4b682f91bc0ab3910
SHA256: df593cd4c017de19adf5d0154b8391bb057cef1b72ecdd4a8ee30d3235c65f09
SHA512: 930a4162fdb008d2446247908c14269fd13db4dc80bd2bb201a65a69c03f5933f97b4c5079ccd2a12db4934ff97b2debaa10a6c6f5c3060e55873f4397747eaa

* <https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.4.zip>

SIZE: 19922060 bytes
SHA1: 3e1d98afc7804a291abe42f0b8e2e98219e41ca3
SHA256: 8446eaaa633a8d55146df0874154b8eb1e5ea5a000d803503d83fd67d9e9372c
SHA512: 5696f2921b8488bde42536dd23d933c8a5ab9ce33632760d217d79567324c4a20f8007d4815f33e56c0a764d1ca372b40c41a5937f9938bb1d63ea078d10d657


## Release Comment

Many committers, developers, and users who provided bug reports helped us make this release.
Thanks for their contributions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
---
layout: news_post
title: "RDoc における jQuery の脆弱性について"
author: "aycabta"
translator:
date: 2019-08-28 09:00:00 +0000
tags: security
lang: ja
---

Ruby の標準添付ライブラリである RDoc に、jQuery に関するクロスサイトスクリプティング(XSS)の脆弱性が発見されました。
全ての ruby ユーザーは、この問題に対するセキュリティフィックスが含まれた RDoc をバンドルするバージョンに更新することが推奨されます。
また、現在、RDoc が生成した HTML ドキュメントを公開している場合は、セキュリティフィックスが含まれた RDoc を使用して HTML ドキュメントを再生成する必要があります。

## 詳細

以下の脆弱性が報告されています。

* [CVE-2012-6708](https://nvd.nist.gov/vuln/detail/CVE-2012-6708)
* [CVE-2015-9251](https://nvd.nist.gov/vuln/detail/CVE-2015-9251)

この問題の影響を受けるバージョンの Ruby のユーザーは、最新の Ruby に更新するか、下記の回避策を取ってください。

また、現在、RDoc が生成した HTML ドキュメントには、XSS 脆弱性が存在している可能性があります。
そのため、これらの HTML ドキュメントを公開している場合は、その HTML ドキュメント自体を再生する必要があります。

## 影響を受けるバージョン

* Ruby 2.3 系列の全てのリリース
* Ruby 2.4.6 以前の全ての Ruby 2.4 系列
* Ruby 2.5.5 以前の全ての Ruby 2.5 系列
* Ruby 2.6.3 以前の全ての Ruby 2.6 系列
* commit xxxx より前の開発版

## 回避策

原則としては、Ruby 自体を最新のリリースに更新してください。それができない場合は、以下のコマンドを実行することにより、RDoc を最新版 (6.1.2 以降) に更新することによって、各脆弱性が修正されます。

```
gem install rdoc -f
```

その際に以下のようなメッセージが出るので、 `Overwrite the executable? [yN]` と出る度に随時 `y` を入力し Enter で確定することで更新を続行してください。

```
Updating installed gems
Updating rdoc
Fetching: rdoc-6.1.1.gem (100%)
rdoc's executable "rdoc" conflicts with /home/aycabta/.rbenv/versions/2.5.3/bin/rdoc
Overwrite the executable? [yN] y
rdoc's executable "ri" conflicts with /home/aycabta/.rbenv/versions/2.5.3/bin/ri
Overwrite the executable? [yN] y
Successfully installed rdoc-6.1.1
Parsing documentation for rdoc-6.1.1
Installing ri documentation for rdoc-6.1.1
Installing darkfish documentation for rdoc-6.1.1
Done installing documentation for rdoc after 6 seconds
Parsing documentation for rdoc-6.1.1
Done installing documentation for rdoc after 3 seconds
Gems updated: rdoc
```

開発版については、HEAD に更新してください。

なお、RDoc は静的ドキュメント生成ツールです。
したがって、RDoc 自体を修正しても、既に生成済みの HTML ドキュメントの脆弱性は解消されません。
これらの HTML ドキュメントを公開している場合は、以上いずれかの対策を行った上で、該当の HTML ドキュメントを再生成してください。

## クレジット

この脆弱性情報は、[Chris Seaton](https://hackerone.com/chrisseaton) 氏によって報告されました。

## 更新履歴

* 2019-08-28 09:00:00 (JST) 初版
Loading