From 140b9e2502c434af3fdde7ee5cc1343fc3d520e7 Mon Sep 17 00:00:00 2001 From: Chayoung You Date: Sat, 19 Feb 2022 18:02:21 +0900 Subject: [PATCH 1/2] Import original articles --- .../_posts/2021-04-05-ruby-2-5-9-released.md | 58 +++++++++++++++++ .../_posts/2021-04-05-ruby-2-6-7-released.md | 64 +++++++++++++++++++ .../_posts/2021-04-05-ruby-2-7-3-released.md | 55 ++++++++++++++++ .../_posts/2021-04-05-ruby-3-0-1-released.md | 48 ++++++++++++++ ...ath-traversal-on-windows-cve-2021-28966.md | 32 ++++++++++ ...p-vulnerability-in-rexml-cve-2021-28965.md | 44 +++++++++++++ 6 files changed, 301 insertions(+) create mode 100644 ko/news/_posts/2021-04-05-ruby-2-5-9-released.md create mode 100644 ko/news/_posts/2021-04-05-ruby-2-6-7-released.md create mode 100644 ko/news/_posts/2021-04-05-ruby-2-7-3-released.md create mode 100644 ko/news/_posts/2021-04-05-ruby-3-0-1-released.md create mode 100644 ko/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md create mode 100644 ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md diff --git a/ko/news/_posts/2021-04-05-ruby-2-5-9-released.md b/ko/news/_posts/2021-04-05-ruby-2-5-9-released.md new file mode 100644 index 0000000000..3ffa682bdf --- /dev/null +++ b/ko/news/_posts/2021-04-05-ruby-2-5-9-released.md @@ -0,0 +1,58 @@ +--- +layout: news_post +title: "Ruby 2.5.9 Released" +author: "usa" +translator: +date: 2021-04-05 12:00:00 +0000 +lang: en +--- + +Ruby 2.5.9 has been released. + +This release includes security fixes. +Please check the topics below for details. + +* [CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick]({%link en/news/_posts/2020-09-29-http-request-smuggling-cve-2020-25613.md %}) +* [CVE-2021-28965: XML round-trip vulnerability in REXML]({% link en/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) + +See the [commit logs](https://github.com/ruby/ruby/compare/v2_5_8...v2_5_9) for details. + +After this release, Ruby 2.5 reaches EOL. In other words, this is the last release of Ruby 2.5 series. +We will not release Ruby 2.5.10 even if a security vulnerability is found. +We recommend all Ruby 2.5 users to upgrade to Ruby 3.0, 2.7 or 2.6 immediately. + +## Download + +{% assign release = site.data.releases | where: "version", "2.5.9" | first %} + +* <{{ release.url.bz2 }}> + + SIZE: {{ release.size.bz2 }} + SHA1: {{ release.sha1.bz2 }} + SHA256: {{ release.sha256.bz2 }} + SHA512: {{ release.sha512.bz2 }} + +* <{{ release.url.gz }}> + + SIZE: {{ release.size.gz }} + SHA1: {{ release.sha1.gz }} + SHA256: {{ release.sha256.gz }} + SHA512: {{ release.sha512.gz }} + +* <{{ release.url.xz }}> + + SIZE: {{ release.size.xz }} + SHA1: {{ release.sha1.xz }} + SHA256: {{ release.sha256.xz }} + SHA512: {{ release.sha512.xz }} + +* <{{ release.url.zip }}> + + SIZE: {{ release.size.zip }} + SHA1: {{ release.sha1.zip }} + SHA256: {{ release.sha256.zip }} + SHA512: {{ release.sha512.zip }} + +## Release Comment + +Thanks to everyone who helped with this release, especially, to reporters of the vulnerability. diff --git a/ko/news/_posts/2021-04-05-ruby-2-6-7-released.md b/ko/news/_posts/2021-04-05-ruby-2-6-7-released.md new file mode 100644 index 0000000000..387c8c8e4b --- /dev/null +++ b/ko/news/_posts/2021-04-05-ruby-2-6-7-released.md @@ -0,0 +1,64 @@ +--- +layout: news_post +title: "Ruby 2.6.7 Released" +author: "usa" +translator: +date: 2021-04-05 12:00:00 +0000 +lang: en +--- + +Ruby 2.6.7 has been released. + +This release includes security fixes. +Please check the topics below for details. + +* [CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick]({%link en/news/_posts/2020-09-29-http-request-smuggling-cve-2020-25613.md %}) +* [CVE-2021-28965: XML round-trip vulnerability in REXML]({% link en/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) + +See the [commit logs](https://github.com/ruby/ruby/compare/v2_6_6...v2_6_7) for details. + +By this release, we end the normal maintenance phase of Ruby 2.6, +and Ruby 2.6 enters the security maintenance phase. +This means that we will no longer backport any bug fixes to Ruby 2.6 except security fixes. +The term of the security maintenance phase is scheduled for a year. +Ruby 2.6 reaches EOL and its official support ends by the end of the security maintenance phase. +Therefore, we recommend that you start to plan upgrade to Ruby 2.7 or 3.0. + +## Download + +{% assign release = site.data.releases | where: "version", "2.6.7" | first %} + +* <{{ release.url.bz2 }}> + + SIZE: {{ release.size.bz2 }} + SHA1: {{ release.sha1.bz2 }} + SHA256: {{ release.sha256.bz2 }} + SHA512: {{ release.sha512.bz2 }} + +* <{{ release.url.gz }}> + + SIZE: {{ release.size.gz }} + SHA1: {{ release.sha1.gz }} + SHA256: {{ release.sha256.gz }} + SHA512: {{ release.sha512.gz }} + +* <{{ release.url.xz }}> + + SIZE: {{ release.size.xz }} + SHA1: {{ release.sha1.xz }} + SHA256: {{ release.sha256.xz }} + SHA512: {{ release.sha512.xz }} + +* <{{ release.url.zip }}> + + SIZE: {{ release.size.zip }} + SHA1: {{ release.sha1.zip }} + SHA256: {{ release.sha256.zip }} + SHA512: {{ release.sha512.zip }} + +## Release Comment + +Many committers, developers, and users who provided bug reports helped us make this release. +Thanks for their contributions. + +The maintenance of Ruby 2.6, including this release, is based on the "Agreement for the Ruby stable version" of the Ruby Association. diff --git a/ko/news/_posts/2021-04-05-ruby-2-7-3-released.md b/ko/news/_posts/2021-04-05-ruby-2-7-3-released.md new file mode 100644 index 0000000000..3df40cdd5a --- /dev/null +++ b/ko/news/_posts/2021-04-05-ruby-2-7-3-released.md @@ -0,0 +1,55 @@ +--- +layout: news_post +title: "Ruby 2.7.3 Released" +author: "nagachika" +translator: +date: 2021-04-05 12:00:00 +0000 +lang: en +--- + +Ruby 2.7.3 has been released. + +This release includes security fixes. +Please check the topics below for details. + +* [CVE-2021-28965: XML round-trip vulnerability in REXML]({% link en/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) +* [CVE-2021-28966: Path traversal in Tempfile on Windows]({% link en/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md %}) + +See the [commit logs](https://github.com/ruby/ruby/compare/v2_7_2...v2_7_3) for details. + +## Download + +{% assign release = site.data.releases | where: "version", "2.7.3" | first %} + +* <{{ release.url.bz2 }}> + + SIZE: {{ release.size.bz2 }} + SHA1: {{ release.sha1.bz2 }} + SHA256: {{ release.sha256.bz2 }} + SHA512: {{ release.sha512.bz2 }} + +* <{{ release.url.gz }}> + + SIZE: {{ release.size.gz }} + SHA1: {{ release.sha1.gz }} + SHA256: {{ release.sha256.gz }} + SHA512: {{ release.sha512.gz }} + +* <{{ release.url.xz }}> + + SIZE: {{ release.size.xz }} + SHA1: {{ release.sha1.xz }} + SHA256: {{ release.sha256.xz }} + SHA512: {{ release.sha512.xz }} + +* <{{ release.url.zip }}> + + SIZE: {{ release.size.zip }} + SHA1: {{ release.sha1.zip }} + SHA256: {{ release.sha256.zip }} + SHA512: {{ release.sha512.zip }} + +## Release Comment + +Many committers, developers, and users who provided bug reports helped us make this release. +Thanks for their contributions. diff --git a/ko/news/_posts/2021-04-05-ruby-3-0-1-released.md b/ko/news/_posts/2021-04-05-ruby-3-0-1-released.md new file mode 100644 index 0000000000..739b8d5a60 --- /dev/null +++ b/ko/news/_posts/2021-04-05-ruby-3-0-1-released.md @@ -0,0 +1,48 @@ +--- +layout: news_post +title: "Ruby 3.0.1 Released" +author: "naruse" +translator: +date: 2021-04-05 12:00:00 +0000 +lang: en +--- + +Ruby 3.0.1 has been released. + +This release includes security fixes. +Please check the topics below for details. + +* [CVE-2021-28965: XML round-trip vulnerability in REXML]({% link en/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) +* [CVE-2021-28966: Path traversal in Tempfile on Windows]({% link en/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md %}) + +See the [commit logs](https://github.com/ruby/ruby/compare/v3_0_0...v3_0_1) for details. + +## Download + +{% assign release = site.data.releases | where: "version", "3.0.1" | first %} + +* <{{ release.url.gz }}> + + SIZE: {{ release.size.gz }} + SHA1: {{ release.sha1.gz }} + SHA256: {{ release.sha256.gz }} + SHA512: {{ release.sha512.gz }} + +* <{{ release.url.xz }}> + + SIZE: {{ release.size.xz }} + SHA1: {{ release.sha1.xz }} + SHA256: {{ release.sha256.xz }} + SHA512: {{ release.sha512.xz }} + +* <{{ release.url.zip }}> + + SIZE: {{ release.size.zip }} + SHA1: {{ release.sha1.zip }} + SHA256: {{ release.sha256.zip }} + SHA512: {{ release.sha512.zip }} + +## Release Comment + +Many committers, developers, and users who provided bug reports helped us make this release. +Thanks for their contributions. diff --git a/ko/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md b/ko/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md new file mode 100644 index 0000000000..1b4940c6ed --- /dev/null +++ b/ko/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md @@ -0,0 +1,32 @@ +--- +layout: news_post +title: "CVE-2021-28966: Path traversal in Tempfile on Windows" +author: "mame" +translator: +date: 2021-04-05 12:00:00 +0000 +tags: security +lang: en +--- + +There is an unintentional directory creation vulnerability in tmpdir library bundled with Ruby on Windows. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby on Windows, because it uses tmpdir internally. This vulnerability has been assigned the CVE identifier [CVE-2021-28966](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28966). + +## Details + +`Dir.mktmpdir` method introduced by tmpdir library accepts the prefix and the suffix of the directory which is created as the first parameter. The prefix can contain relative directory specifiers `"..\\"`, so this method can be used to target any directory. So, if a script accepts an external input as the prefix, and the targeted directory has inappropriate permissions or the ruby process has inappropriate privileges, the attacker can create a directory or a file at any directory. + +This is the same issue as [CVE-2018-6914](https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/), but the previous fix was incomplete on Windows. + +All users running an affected release should upgrade immediately. + +## Affected versions + +* Ruby 2.7.2 or prior +* Ruby 3.0.0 + +## Credits + +Thanks to [Bugdiscloseguys](https://hackerone.com/bugdiscloseguys) for discovering this issue. + +## History + +* Originally published at 2021-04-05 12:00:00 (UTC) diff --git a/ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md b/ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md new file mode 100644 index 0000000000..b6225aa9cc --- /dev/null +++ b/ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md @@ -0,0 +1,44 @@ +--- +layout: news_post +title: "CVE-2021-28965: XML round-trip vulnerability in REXML" +author: "mame" +translator: +date: 2021-04-05 12:00:00 +0000 +tags: security +lang: en +--- + +There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier [CVE-2021-28965](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28965). We strongly recommend upgrading the REXML gem. + +## Details + +When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML. + +Please update REXML gem to version 3.2.5 or later. + +If you are using Ruby 2.6 or later: + +* Please use Ruby 2.6.7, 2.7.3, or 3.0.1. +* Alternatively, you can use `gem update rexml` to update it. If you are using bundler, please add `gem "rexml", ">= 3.2.5"` to your `Gemfile`. + +If you are using Ruby 2.5.8 or prior: + +* Please use Ruby 2.5.9. +* You cannot use `gem update rexml` for Ruby 2.5.8 or prior. +* Note that Ruby 2.5 series is now EOL, so please consider upgrading Ruby to 2.6.7 or later as soon as possible. + +## Affected versions + +* Ruby 2.5.8 or prior (You can NOT use `gem update rexml` for this version.) +* Ruby 2.6.6 or prior +* Ruby 2.7.2 or prior +* Ruby 3.0.0 +* REXML gem 3.2.4 or prior + +## Credits + +Thanks to [Juho Nurminen](https://hackerone.com/jupenur) for discovering this issue. + +## History + +* Originally published at 2021-04-05 12:00:00 (UTC) From 27ff238b3bb0b679dd5b7242047dcf919f08f7fe Mon Sep 17 00:00:00 2001 From: Chayoung You Date: Sat, 19 Feb 2022 22:11:45 +0900 Subject: [PATCH 2/2] Translate 2021-04-05 news (ko) --- .../_posts/2021-04-05-ruby-2-5-9-released.md | 30 ++++++------ .../_posts/2021-04-05-ruby-2-6-7-released.md | 40 ++++++++-------- .../_posts/2021-04-05-ruby-2-7-3-released.md | 26 +++++------ .../_posts/2021-04-05-ruby-3-0-1-released.md | 26 +++++------ ...ath-traversal-on-windows-cve-2021-28966.md | 28 +++++------ ...p-vulnerability-in-rexml-cve-2021-28965.md | 46 +++++++++---------- 6 files changed, 98 insertions(+), 98 deletions(-) diff --git a/ko/news/_posts/2021-04-05-ruby-2-5-9-released.md b/ko/news/_posts/2021-04-05-ruby-2-5-9-released.md index 3ffa682bdf..1d8bb925de 100644 --- a/ko/news/_posts/2021-04-05-ruby-2-5-9-released.md +++ b/ko/news/_posts/2021-04-05-ruby-2-5-9-released.md @@ -1,27 +1,27 @@ --- layout: news_post -title: "Ruby 2.5.9 Released" +title: "Ruby 2.5.9 릴리스" author: "usa" -translator: +translator: "yous" date: 2021-04-05 12:00:00 +0000 -lang: en +lang: ko --- -Ruby 2.5.9 has been released. +Ruby 2.5.9가 릴리스되었습니다. -This release includes security fixes. -Please check the topics below for details. +이 릴리스는 보안 수정을 포함합니다. +자세한 사항은 아래 글을 확인해보세요. -* [CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick]({%link en/news/_posts/2020-09-29-http-request-smuggling-cve-2020-25613.md %}) -* [CVE-2021-28965: XML round-trip vulnerability in REXML]({% link en/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) +* [CVE-2020-25613: WEBrick의 잠재적인 HTTP 요청 스머글링 취약점]({%link ko/news/_posts/2020-09-29-http-request-smuggling-cve-2020-25613.md %}) +* [CVE-2021-28965: REXML의 XML 왕복 변환(round-trip) 취약점]({% link ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) -See the [commit logs](https://github.com/ruby/ruby/compare/v2_5_8...v2_5_9) for details. +자세한 사항은 [커밋 로그](https://github.com/ruby/ruby/compare/v2_5_8...v2_5_9)를 확인해주세요. -After this release, Ruby 2.5 reaches EOL. In other words, this is the last release of Ruby 2.5 series. -We will not release Ruby 2.5.10 even if a security vulnerability is found. -We recommend all Ruby 2.5 users to upgrade to Ruby 3.0, 2.7 or 2.6 immediately. +이 릴리스 이후로 Ruby 2.5의 지원이 종료됩니다. 즉, 이는 Ruby 2.5 버전대의 마지막 릴리스입니다. +보안 취약점이 발견되어도 Ruby 2.5.10이 릴리스되지 않습니다. +모든 Ruby 2.5 사용자는 Ruby 3.0, 2.7, 2.6으로 즉시 업그레이드하기 바랍니다. -## Download +## 다운로드 {% assign release = site.data.releases | where: "version", "2.5.9" | first %} @@ -53,6 +53,6 @@ We recommend all Ruby 2.5 users to upgrade to Ruby 3.0, 2.7 or 2.6 immediately. SHA256: {{ release.sha256.zip }} SHA512: {{ release.sha512.zip }} -## Release Comment +## 릴리스 코멘트 -Thanks to everyone who helped with this release, especially, to reporters of the vulnerability. +이 릴리스를 만드는 데 도움을 준 모든 분, 특히 취약점을 보고해 준 분에게 감사드립니다. diff --git a/ko/news/_posts/2021-04-05-ruby-2-6-7-released.md b/ko/news/_posts/2021-04-05-ruby-2-6-7-released.md index 387c8c8e4b..d0249b9e38 100644 --- a/ko/news/_posts/2021-04-05-ruby-2-6-7-released.md +++ b/ko/news/_posts/2021-04-05-ruby-2-6-7-released.md @@ -1,30 +1,30 @@ --- layout: news_post -title: "Ruby 2.6.7 Released" +title: "Ruby 2.6.7 릴리스" author: "usa" -translator: +translator: "yous" date: 2021-04-05 12:00:00 +0000 -lang: en +lang: ko --- -Ruby 2.6.7 has been released. +Ruby 2.6.7이 릴리스되었습니다. -This release includes security fixes. -Please check the topics below for details. +이 릴리스는 보안 수정을 포함합니다. +자세한 사항은 아래 글을 확인해보세요. -* [CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick]({%link en/news/_posts/2020-09-29-http-request-smuggling-cve-2020-25613.md %}) -* [CVE-2021-28965: XML round-trip vulnerability in REXML]({% link en/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) +* [CVE-2020-25613: WEBrick의 잠재적인 HTTP 요청 스머글링 취약점]({%link ko/news/_posts/2020-09-29-http-request-smuggling-cve-2020-25613.md %}) +* [CVE-2021-28965: REXML의 XML 왕복 변환(round-trip) 취약점]({% link ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) -See the [commit logs](https://github.com/ruby/ruby/compare/v2_6_6...v2_6_7) for details. +자세한 사항은 [커밋 로그](https://github.com/ruby/ruby/compare/v2_6_6...v2_6_7)를 확인해주세요. -By this release, we end the normal maintenance phase of Ruby 2.6, -and Ruby 2.6 enters the security maintenance phase. -This means that we will no longer backport any bug fixes to Ruby 2.6 except security fixes. -The term of the security maintenance phase is scheduled for a year. -Ruby 2.6 reaches EOL and its official support ends by the end of the security maintenance phase. -Therefore, we recommend that you start to plan upgrade to Ruby 2.7 or 3.0. +이 릴리스 이후로 Ruby 2.6은 일반 유지보수 단계가 종료되고, +보안 유지보수 단계가 됩니다. +즉, 보안 수정을 제외한 버그 수정은 Ruby 2.6으로 백포트되지 않습니다. +보안 유지보수 단계의 기간은 1년으로 계획되어 있습니다. +이 기간이 끝나면 Ruby 2.6의 공식 지원도 종료됩니다. +그러므로 Ruby 2.7이나 3.0으로 업그레이드할 계획을 세우기 바랍니다. -## Download +## 다운로드 {% assign release = site.data.releases | where: "version", "2.6.7" | first %} @@ -56,9 +56,9 @@ Therefore, we recommend that you start to plan upgrade to Ruby 2.7 or 3.0. SHA256: {{ release.sha256.zip }} SHA512: {{ release.sha512.zip }} -## Release Comment +## 릴리스 코멘트 -Many committers, developers, and users who provided bug reports helped us make this release. -Thanks for their contributions. +많은 커미터, 개발자, 버그를 보고해 준 사용자들이 이 릴리스를 만드는 데 도움을 주었습니다. +그들의 기여에 감사드립니다. -The maintenance of Ruby 2.6, including this release, is based on the "Agreement for the Ruby stable version" of the Ruby Association. +이 릴리스를 포함한 Ruby 2.6의 유지보수는 Ruby Association의 "Ruby 안정 버전에 관한 협의"에 기반해 이루어집니다. diff --git a/ko/news/_posts/2021-04-05-ruby-2-7-3-released.md b/ko/news/_posts/2021-04-05-ruby-2-7-3-released.md index 3df40cdd5a..c647c08ff1 100644 --- a/ko/news/_posts/2021-04-05-ruby-2-7-3-released.md +++ b/ko/news/_posts/2021-04-05-ruby-2-7-3-released.md @@ -1,23 +1,23 @@ --- layout: news_post -title: "Ruby 2.7.3 Released" +title: "Ruby 2.7.3 릴리스" author: "nagachika" -translator: +translator: "yous" date: 2021-04-05 12:00:00 +0000 -lang: en +lang: ko --- -Ruby 2.7.3 has been released. +Ruby 2.7.3이 릴리스되었습니다. -This release includes security fixes. -Please check the topics below for details. +이 릴리스는 보안 수정을 포함합니다. +자세한 사항은 아래 글을 확인해보세요. -* [CVE-2021-28965: XML round-trip vulnerability in REXML]({% link en/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) -* [CVE-2021-28966: Path traversal in Tempfile on Windows]({% link en/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md %}) +* [CVE-2021-28965: REXML의 XML 왕복 변환(round-trip) 취약점]({% link ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) +* [CVE-2021-28966: Windows 환경 Tempfile의 경로 탐색 취약점]({% link ko/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md %}) -See the [commit logs](https://github.com/ruby/ruby/compare/v2_7_2...v2_7_3) for details. +자세한 사항은 [커밋 로그](https://github.com/ruby/ruby/compare/v2_7_2...v2_7_3)를 확인해주세요. -## Download +## 다운로드 {% assign release = site.data.releases | where: "version", "2.7.3" | first %} @@ -49,7 +49,7 @@ See the [commit logs](https://github.com/ruby/ruby/compare/v2_7_2...v2_7_3) for SHA256: {{ release.sha256.zip }} SHA512: {{ release.sha512.zip }} -## Release Comment +## 릴리스 코멘트 -Many committers, developers, and users who provided bug reports helped us make this release. -Thanks for their contributions. +많은 커미터, 개발자, 버그를 보고해 준 사용자들이 이 릴리스를 만드는 데 도움을 주었습니다. +그들의 기여에 감사드립니다. diff --git a/ko/news/_posts/2021-04-05-ruby-3-0-1-released.md b/ko/news/_posts/2021-04-05-ruby-3-0-1-released.md index 739b8d5a60..ca0d8b3f69 100644 --- a/ko/news/_posts/2021-04-05-ruby-3-0-1-released.md +++ b/ko/news/_posts/2021-04-05-ruby-3-0-1-released.md @@ -1,23 +1,23 @@ --- layout: news_post -title: "Ruby 3.0.1 Released" +title: "Ruby 3.0.1 릴리스" author: "naruse" -translator: +translator: "yous" date: 2021-04-05 12:00:00 +0000 -lang: en +lang: ko --- -Ruby 3.0.1 has been released. +Ruby 3.0.1이 릴리스되었습니다. -This release includes security fixes. -Please check the topics below for details. +이 릴리스는 보안 수정을 포함합니다. +자세한 사항은 아래 글을 확인해보세요. -* [CVE-2021-28965: XML round-trip vulnerability in REXML]({% link en/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) -* [CVE-2021-28966: Path traversal in Tempfile on Windows]({% link en/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md %}) +* [CVE-2021-28965: REXML의 XML 왕복 변환(round-trip) 취약점]({% link ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md %}) +* [CVE-2021-28966: Windows 환경 Tempfile의 경로 탐색 취약점]({% link ko/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md %}) -See the [commit logs](https://github.com/ruby/ruby/compare/v3_0_0...v3_0_1) for details. +자세한 사항은 [커밋 로그](https://github.com/ruby/ruby/compare/v3_0_0...v3_0_1)를 확인해주세요. -## Download +## 다운로드 {% assign release = site.data.releases | where: "version", "3.0.1" | first %} @@ -42,7 +42,7 @@ See the [commit logs](https://github.com/ruby/ruby/compare/v3_0_0...v3_0_1) for SHA256: {{ release.sha256.zip }} SHA512: {{ release.sha512.zip }} -## Release Comment +## 릴리스 코멘트 -Many committers, developers, and users who provided bug reports helped us make this release. -Thanks for their contributions. +많은 커미터, 개발자, 버그를 보고해 준 사용자들이 이 릴리스를 만드는 데 도움을 주었습니다. +그들의 기여에 감사드립니다. diff --git a/ko/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md b/ko/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md index 1b4940c6ed..e4c9e27644 100644 --- a/ko/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md +++ b/ko/news/_posts/2021-04-05-tempfile-path-traversal-on-windows-cve-2021-28966.md @@ -1,32 +1,32 @@ --- layout: news_post -title: "CVE-2021-28966: Path traversal in Tempfile on Windows" +title: "CVE-2021-28966: Windows 환경 Tempfile의 경로 탐색 취약점" author: "mame" -translator: +translator: "yous" date: 2021-04-05 12:00:00 +0000 tags: security -lang: en +lang: ko --- -There is an unintentional directory creation vulnerability in tmpdir library bundled with Ruby on Windows. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby on Windows, because it uses tmpdir internally. This vulnerability has been assigned the CVE identifier [CVE-2021-28966](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28966). +Windows 환경에서 Ruby에 포함된 tmpdir 라이브러리에 의도하지 않은 디렉터리 생성 취약점이 있습니다. 또 Windows 환경에서 Ruby에 포함된 tempfile 라이브러리 역시 내부적으로 tmpdir을 사용하기 때문에 의도하지 않은 디렉터리 생성 취약점이 있습니다. 이 취약점은 CVE 번호 [CVE-2021-28966](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28966)에 할당되었습니다. -## Details +## 세부 내용 -`Dir.mktmpdir` method introduced by tmpdir library accepts the prefix and the suffix of the directory which is created as the first parameter. The prefix can contain relative directory specifiers `"..\\"`, so this method can be used to target any directory. So, if a script accepts an external input as the prefix, and the targeted directory has inappropriate permissions or the ruby process has inappropriate privileges, the attacker can create a directory or a file at any directory. +tmpdir 라이브러리의 `Dir.mktmpdir` 메서드는 생성할 디렉터리의 접두사와 접미사를 첫 번째 파라미터로 받습니다. 접두사는 디렉터리 상대 경로 지정자(`"..\\"`)를 포함할 수 있고, 그래서 이 메서드로 임의의 디렉터리를 지정할 수 있습니다. 그래서 스크립트가 외부 입력을 받아 접두사로 사용하면, 지정한 디렉터리의 권한이 부적절하거나 Ruby 프로세스가 부적절한 권한을 갖고 있는 경우, 공격자가 임의의 디렉터리에 디렉터리나 파일을 생성할 수 있습니다. -This is the same issue as [CVE-2018-6914](https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/), but the previous fix was incomplete on Windows. +이는 [CVE-2018-6914](https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/)와 같은 문제지만, 이전 수정이 Windows에서 불완전했습니다. -All users running an affected release should upgrade immediately. +해당 버전을 사용하는 모든 사용자는 즉시 업그레이드하기 바랍니다. -## Affected versions +## 해당 버전 -* Ruby 2.7.2 or prior +* Ruby 2.7.2 이하 * Ruby 3.0.0 -## Credits +## 도움을 준 사람 -Thanks to [Bugdiscloseguys](https://hackerone.com/bugdiscloseguys) for discovering this issue. +이 문제를 발견해 준 [Bugdiscloseguys](https://hackerone.com/bugdiscloseguys)에게 감사를 표합니다. -## History +## 수정 이력 -* Originally published at 2021-04-05 12:00:00 (UTC) +* 2021-04-05 12:00:00 (UTC) 최초 공개 diff --git a/ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md b/ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md index b6225aa9cc..d8b74713b5 100644 --- a/ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md +++ b/ko/news/_posts/2021-04-05-xml-round-trip-vulnerability-in-rexml-cve-2021-28965.md @@ -1,44 +1,44 @@ --- layout: news_post -title: "CVE-2021-28965: XML round-trip vulnerability in REXML" +title: "CVE-2021-28965: REXML에서 XML 왕복 변환(round-trip) 취약점" author: "mame" -translator: +translator: "yous" date: 2021-04-05 12:00:00 +0000 tags: security -lang: en +lang: ko --- -There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier [CVE-2021-28965](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28965). We strongly recommend upgrading the REXML gem. +Ruby에 포함된 REXML gem에 XML 왕복 변환(round-trip) 취약점이 있습니다. 이 취약점은 CVE 번호 [CVE-2021-28965](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28965)에 할당되었습니다. REXML gem을 업그레이드하시길 강력히 권합니다. -## Details +## 세부 내용 -When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML. +조작된 XML 문서를 파싱하고 직렬화할 때, (Ruby에 포함된 버전을 포함해서) REXML gem은 기존 문서와 다른 구조의 XML 문서를 생성할 수 있습니다. 이 문제로 받는 영향은 상황에 따라 다르지만, REXML을 사용하는 프로그램의 취약점으로 이어질 수 있습니다. -Please update REXML gem to version 3.2.5 or later. +REXML gem을 3.2.5 버전 이상으로 업데이트하시기 바랍니다. -If you are using Ruby 2.6 or later: +Ruby 2.6 이상을 사용한다면: -* Please use Ruby 2.6.7, 2.7.3, or 3.0.1. -* Alternatively, you can use `gem update rexml` to update it. If you are using bundler, please add `gem "rexml", ">= 3.2.5"` to your `Gemfile`. +* Ruby 2.6.7, 2.7.3, 3.0.1을 사용하세요. +* 또는 `gem update rexml`을 사용해 이를 업데이트할 수 있습니다. bundler를 사용한다면, `Gemfile`에 `gem "rexml", ">= 3.2.5"`를 추가하세요. -If you are using Ruby 2.5.8 or prior: +Ruby 2.5.8 이하를 사용한다면: -* Please use Ruby 2.5.9. -* You cannot use `gem update rexml` for Ruby 2.5.8 or prior. -* Note that Ruby 2.5 series is now EOL, so please consider upgrading Ruby to 2.6.7 or later as soon as possible. +* Ruby 2.5.9를 사용하세요. +* **Ruby 2.5.8 이하에서는 `gem update rexml`을 사용할 수 없습니다.** +* Ruby 2.5 버전대의 지원이 종료되었으니, Ruby 2.6.7 이상으로 가능한 한 빨리 업그레이드하시길 바랍니다. -## Affected versions +## 해당 버전 -* Ruby 2.5.8 or prior (You can NOT use `gem update rexml` for this version.) -* Ruby 2.6.6 or prior -* Ruby 2.7.2 or prior +* Ruby 2.5.8 이하 (이 버전에서는 `gem update rexml`을 할 수 **없습니다**.) +* Ruby 2.6.6 이하 +* Ruby 2.7.2 이하 * Ruby 3.0.0 -* REXML gem 3.2.4 or prior +* REXML gem 3.2.4 이하 -## Credits +## 도움을 준 사람 -Thanks to [Juho Nurminen](https://hackerone.com/jupenur) for discovering this issue. +이 문제를 발견해 준 [Juho Nurminen](https://hackerone.com/jupenur)에게 감사를 표합니다. -## History +## 수정 이력 -* Originally published at 2021-04-05 12:00:00 (UTC) +* 2021-04-05 12:00:00 (UTC) 최초 공개