Groups
Conversations
All groups and messages
Send feedback to Google
Help
Sign in
Groups
ruby-security-ann
Conversations
About
ruby-security-ann
1–30 of 219
Security announcements for Ruby, Rails, Rubygems, Bundler, and other Ruby ecosystem projects.
Mark all as read
Report abusive group
0 selected
Mike Dalessio
12/13/22
[ANN] rails-html-sanitizer security update v1.4.4
rails-html-sanitizer v1.4.4 has been released. This is a security update which addresses multiple
unread,
[ANN] rails-html-sanitizer security update v1.4.4
rails-html-sanitizer v1.4.4 has been released. This is a security update which addresses multiple
12/13/22
Mike Dalessio
12/13/22
[ANN] loofah security update v2.19.1
loofah v2.19.1 has been released. This a security update which addresses multiple CVEs, and users are
unread,
[ANN] loofah security update v2.19.1
loofah v2.19.1 has been released. This a security update which addresses multiple CVEs, and users are
12/13/22
an...@arko.net
12/8/22
Ruby 3.1.3 Released
Ruby 3.1.3 has been released. This release includes a security fix. Please check the topics below for
unread,
Ruby 3.1.3 Released
Ruby 3.1.3 has been released. This release includes a security fix. Please check the topics below for
12/8/22
an...@arko.net
12/8/22
Ruby 2.7.7 Released
Ruby 2.7.7 has been released. This release includes a security fix. Please check the topics below for
unread,
Ruby 2.7.7 Released
Ruby 2.7.7 has been released. This release includes a security fix. Please check the topics below for
12/8/22
an...@arko.net
12/8/22
CVE-2021-33621: HTTP response splitting in CGI
We have released the cgi gem version 0.3.5, 0.2.2, and 0.1.0.2 that has a security fix for a HTTP
unread,
CVE-2021-33621: HTTP response splitting in CGI
We have released the cgi gem version 0.3.5, 0.2.2, and 0.1.0.2 that has a security fix for a HTTP
12/8/22
an...@arko.net
12/8/22
Ruby 3.0.5 Released
Ruby 3.0.5 has been released. This release includes a security fix. Please check the topics below for
unread,
Ruby 3.0.5 Released
Ruby 3.0.5 has been released. This release includes a security fix. Please check the topics below for
12/8/22
Mike Dalessio
12/7/22
[ANN] Nokogiri security update v1.13.10
Nokogiri v1.13.10 has been released with a security update for CRuby users. The release notes[1] are
unread,
[ANN] Nokogiri security update v1.13.10
Nokogiri v1.13.10 has been released with a security update for CRuby users. The release notes[1] are
12/7/22
Mike Dalessio
10/18/22
[ANN] Nokogiri security update v1.13.9
Nokogiri v1.13.9 has been released with a security update for CRuby users. The release notes are
unread,
[ANN] Nokogiri security update v1.13.9
Nokogiri v1.13.9 has been released with a security update for CRuby users. The release notes are
10/18/22
Aaron Patterson
7/12/22
[CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record
There is a possible escalation to RCE when using YAML serialized columns in Active Record. This
unread,
[CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record
There is a possible escalation to RCE when using YAML serialized columns in Active Record. This
7/12/22
Mike Dalessio
6/9/22
[CVE-2022-32209] Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This
unread,
[CVE-2022-32209] Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This
6/9/22
Mike Dalessio
6/9/22
[ANN] mechanize security update v2.8.5
Mechanize v2.8.5 has been released with a security update. The release notes are reproduced below for
unread,
[ANN] mechanize security update v2.8.5
Mechanize v2.8.5 has been released with a security update. The release notes are reproduced below for
6/9/22
Aaron Patterson
5/27/22
[CVE-2022-30123] Possible shell escape sequence injection vulnerability in Rack
There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger
unread,
[CVE-2022-30123] Possible shell escape sequence injection vulnerability in Rack
There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger
5/27/22
Aaron Patterson
5/27/22
[CVE-2022-30122] Denial of Service Vulnerability in Rack Multipart Parsing
There is a possible denial of service vulnerability in the multipart parsing component of Rack. This
unread,
[CVE-2022-30122] Denial of Service Vulnerability in Rack Multipart Parsing
There is a possible denial of service vulnerability in the multipart parsing component of Rack. This
5/27/22
Mike Dalessio
5/8/22
[ANN] Nokogiri security update v1.13.6
Nokogiri v1.13.6 has been released with a security update for CRuby users. The release notes are
unread,
[ANN] Nokogiri security update v1.13.6
Nokogiri v1.13.6 has been released with a security update for CRuby users. The release notes are
5/8/22
Mike Dalessio
5/4/22
[ANN] Nokogiri security update v1.13.5
Nokogiri v1.13.5 has been released with a security update for CRuby users. The changelog entry is
unread,
[ANN] Nokogiri security update v1.13.5
Nokogiri v1.13.5 has been released with a security update for CRuby users. The changelog entry is
5/4/22
Aaron Patterson
4/26/22
[CVE-2022-27777] Possible XSS Vulnerability in Action View tag helpers
There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash
unread,
[CVE-2022-27777] Possible XSS Vulnerability in Action View tag helpers
There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash
4/26/22
Aaron Patterson
4/26/22
[CVE-2022-22577] Possible XSS Vulnerability in Action Pack
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned
unread,
[CVE-2022-22577] Possible XSS Vulnerability in Action Pack
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned
4/26/22
an...@arko.net
4/12/22
Ruby 2.6.10 Released
Ruby 2.6.10 has been released. This release includes a security fix. Please check the topics below
unread,
Ruby 2.6.10 Released
Ruby 2.6.10 has been released. This release includes a security fix. Please check the topics below
4/12/22
an...@arko.net
4/12/22
CVE-2022-28739: Buffer overrun in String-to-Float conversion
A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This
unread,
CVE-2022-28739: Buffer overrun in String-to-Float conversion
A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This
4/12/22
an...@arko.net
4/12/22
CVE-2022-28738: Double free in Regexp compilation
A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned
unread,
CVE-2022-28738: Double free in Regexp compilation
A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned
4/12/22
an...@arko.net
4/12/22
Ruby 3.0.4 Released
Ruby 3.0.4 has been released. This release includes security fixes. Please check the topics below for
unread,
Ruby 3.0.4 Released
Ruby 3.0.4 has been released. This release includes security fixes. Please check the topics below for
4/12/22
an...@arko.net
4/12/22
Ruby 2.7.6 Released
Ruby 2.7.6 has been released. This release includes a security fix. Please check the topics below for
unread,
Ruby 2.7.6 Released
Ruby 2.7.6 has been released. This release includes a security fix. Please check the topics below for
4/12/22
an...@arko.net
4/12/22
Ruby 3.1.2 Released
Ruby 3.1.2 has been released. This release includes security fixes. Please check the topics below for
unread,
Ruby 3.1.2 Released
Ruby 3.1.2 has been released. This release includes security fixes. Please check the topics below for
4/12/22
Mike Dalessio
4/11/22
[ANN] Nokogiri security update v1.13.4
Nokogiri v1.13.4 has been released, with multiple security updates for both CRuby and JRuby users.
unread,
[ANN] Nokogiri security update v1.13.4
Nokogiri v1.13.4 has been released, with multiple security updates for both CRuby and JRuby users.
4/11/22
Aaron Patterson
3/8/22
[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage
There is a possible code injection vulnerability in the Active Storage module of Rails. This
unread,
[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage
There is a possible code injection vulnerability in the Active Storage module of Rails. This
3/8/22
Mike Dalessio
3
2/22/22
[ANN] Nokogiri security update v1.13.2
Final update: Nokogiri v1.13.3 has been released which patches libxml2 to address the HTML4 parsing
unread,
[ANN] Nokogiri security update v1.13.2
Final update: Nokogiri v1.13.3 has been released which patches libxml2 to address the HTML4 parsing
2/22/22
Aaron Patterson
2/11/22
[CVE-2022-23633] Possible exposure of information vulnerability in Action Pack
## Impact Under certain circumstances response bodies will not be closed, for example a bug in a
unread,
[CVE-2022-23633] Possible exposure of information vulnerability in Action Pack
## Impact Under certain circumstances response bodies will not be closed, for example a bug in a
2/11/22
Aaron Patterson
12/14/21
[CVE-2021-44528] Possible Open Redirect in Host Authorization Middleware
There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack.
unread,
[CVE-2021-44528] Possible Open Redirect in Host Authorization Middleware
There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack.
12/14/21
an...@arko.net
11/24/21
Ruby 3.0.3 Released
Ruby 3.0.3 has been released. This release includes security fixes. Please check the topics below for
unread,
Ruby 3.0.3 Released
Ruby 3.0.3 has been released. This release includes security fixes. Please check the topics below for
11/24/21
an...@arko.net
11/24/21
CVE-2021-41816: Buffer Overrun in CGI.escape_html
A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been
unread,
CVE-2021-41816: Buffer Overrun in CGI.escape_html
A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been
11/24/21