ruby-security-ann

Contact owners and managers

1–30 of 228

Security announcements for Ruby, Rails, Rubygems, Bundler, and other Ruby ecosystem projects.

0 selected

Mar 16

[ANN] nokogiri security update v1.16.2

At the request of Nokogiri users, this CVE fix has also been backported to the unsupported v1.15.x

unread,

[ANN] nokogiri security update v1.16.2

At the request of Nokogiri users, this CVE fix has also been backported to the unsupported v1.15.x

Mar 16

6/29/23

CVE-2023-36617: ReDoS vulnerability in URI

We have released the uri gem version 0.12.1, 0.10.2 that has a security fix for a ReDoS vulnerability

unread,

CVE-2023-36617: ReDoS vulnerability in URI

We have released the uri gem version 0.12.1, 0.10.2 that has a security fix for a ReDoS vulnerability

6/29/23

4/11/23

[ANN] Nokogiri security update v1.14.3

Nokogiri v1.14.3 has been released with a security update for CRuby users. The release notes [1] are

unread,

[ANN] Nokogiri security update v1.14.3

Nokogiri v1.14.3 has been released with a security update for CRuby users. The release notes [1] are

4/11/23

3/30/23

Ruby 2.7.8 Released

Ruby 2.7.8 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 2.7.8 Released

Ruby 2.7.8 has been released. This release includes security fixes. Please check the topics below for

3/30/23

3/30/23

CVE-2023-28756: ReDoS vulnerability in Time

We have released the time gem version 0.1.1 and 0.2.2 that has a security fix for a ReDoS

unread,

CVE-2023-28756: ReDoS vulnerability in Time

We have released the time gem version 0.1.1 and 0.2.2 that has a security fix for a ReDoS

3/30/23

3/30/23

Ruby 3.0.6 Released

Ruby 3.0.6 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 3.0.6 Released

Ruby 3.0.6 has been released. This release includes security fixes. Please check the topics below for

3/30/23

3/30/23

Ruby 3.2.2 Released

Ruby 3.2.2 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 3.2.2 Released

Ruby 3.2.2 has been released. This release includes security fixes. Please check the topics below for

3/30/23

3/30/23

Ruby 3.1.4 Released

Ruby 3.1.4 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 3.1.4 Released

Ruby 3.1.4 has been released. This release includes security fixes. Please check the topics below for

3/30/23

3/27/23

CVE-2023-28755: ReDoS vulnerability in URI

We have released the uri gem version 0.10.0.1, 0.10.2, 0.11.1 and 0.12.1 that has a security fix for

unread,

CVE-2023-28755: ReDoS vulnerability in URI

We have released the uri gem version 0.10.0.1, 0.10.2, 0.11.1 and 0.12.1 that has a security fix for

3/27/23

12/13/22

[ANN] rails-html-sanitizer security update v1.4.4

rails-html-sanitizer v1.4.4 has been released. This is a security update which addresses multiple

unread,

[ANN] rails-html-sanitizer security update v1.4.4

rails-html-sanitizer v1.4.4 has been released. This is a security update which addresses multiple

12/13/22

12/13/22

[ANN] loofah security update v2.19.1

loofah v2.19.1 has been released. This a security update which addresses multiple CVEs, and users are

unread,

[ANN] loofah security update v2.19.1

loofah v2.19.1 has been released. This a security update which addresses multiple CVEs, and users are

12/13/22

12/8/22

Ruby 3.1.3 Released

Ruby 3.1.3 has been released. This release includes a security fix. Please check the topics below for

unread,

Ruby 3.1.3 Released

Ruby 3.1.3 has been released. This release includes a security fix. Please check the topics below for

12/8/22

12/8/22

Ruby 2.7.7 Released

Ruby 2.7.7 has been released. This release includes a security fix. Please check the topics below for

unread,

Ruby 2.7.7 Released

Ruby 2.7.7 has been released. This release includes a security fix. Please check the topics below for

12/8/22

12/8/22

CVE-2021-33621: HTTP response splitting in CGI

We have released the cgi gem version 0.3.5, 0.2.2, and 0.1.0.2 that has a security fix for a HTTP

unread,

CVE-2021-33621: HTTP response splitting in CGI

We have released the cgi gem version 0.3.5, 0.2.2, and 0.1.0.2 that has a security fix for a HTTP

12/8/22

12/8/22

Ruby 3.0.5 Released

Ruby 3.0.5 has been released. This release includes a security fix. Please check the topics below for

unread,

Ruby 3.0.5 Released

Ruby 3.0.5 has been released. This release includes a security fix. Please check the topics below for

12/8/22

12/7/22

[ANN] Nokogiri security update v1.13.10

Nokogiri v1.13.10 has been released with a security update for CRuby users. The release notes[1] are

unread,

[ANN] Nokogiri security update v1.13.10

Nokogiri v1.13.10 has been released with a security update for CRuby users. The release notes[1] are

12/7/22

10/18/22

[ANN] Nokogiri security update v1.13.9

Nokogiri v1.13.9 has been released with a security update for CRuby users. The release notes are

unread,

[ANN] Nokogiri security update v1.13.9

Nokogiri v1.13.9 has been released with a security update for CRuby users. The release notes are

10/18/22

Aaron Patterson

7/12/22

[CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record

There is a possible escalation to RCE when using YAML serialized columns in Active Record. This

unread,

[CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record

There is a possible escalation to RCE when using YAML serialized columns in Active Record. This

7/12/22

6/9/22

[CVE-2022-32209] Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This

unread,

[CVE-2022-32209] Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This

6/9/22

6/9/22

[ANN] mechanize security update v2.8.5

Mechanize v2.8.5 has been released with a security update. The release notes are reproduced below for

unread,

[ANN] mechanize security update v2.8.5

Mechanize v2.8.5 has been released with a security update. The release notes are reproduced below for

6/9/22

Aaron Patterson

5/27/22

[CVE-2022-30123] Possible shell escape sequence injection vulnerability in Rack

There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger

unread,

[CVE-2022-30123] Possible shell escape sequence injection vulnerability in Rack

There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger

5/27/22

Aaron Patterson

5/27/22

[CVE-2022-30122] Denial of Service Vulnerability in Rack Multipart Parsing

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This

unread,

[CVE-2022-30122] Denial of Service Vulnerability in Rack Multipart Parsing

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This

5/27/22

5/8/22

[ANN] Nokogiri security update v1.13.6

Nokogiri v1.13.6 has been released with a security update for CRuby users. The release notes are

unread,

[ANN] Nokogiri security update v1.13.6

Nokogiri v1.13.6 has been released with a security update for CRuby users. The release notes are

5/8/22

5/4/22

[ANN] Nokogiri security update v1.13.5

Nokogiri v1.13.5 has been released with a security update for CRuby users. The changelog entry is

unread,

[ANN] Nokogiri security update v1.13.5

Nokogiri v1.13.5 has been released with a security update for CRuby users. The changelog entry is

5/4/22

Aaron Patterson

4/26/22

[CVE-2022-27777] Possible XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash

unread,

[CVE-2022-27777] Possible XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash

4/26/22

Aaron Patterson

4/26/22

[CVE-2022-22577] Possible XSS Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned

unread,

[CVE-2022-22577] Possible XSS Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned

4/26/22

4/12/22

Ruby 2.6.10 Released

Ruby 2.6.10 has been released. This release includes a security fix. Please check the topics below

unread,

Ruby 2.6.10 Released

Ruby 2.6.10 has been released. This release includes a security fix. Please check the topics below

4/12/22

4/12/22

CVE-2022-28739: Buffer overrun in String-to-Float conversion

A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This

unread,

CVE-2022-28739: Buffer overrun in String-to-Float conversion

A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This

4/12/22

4/12/22

CVE-2022-28738: Double free in Regexp compilation

A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned

unread,

CVE-2022-28738: Double free in Regexp compilation

A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned

4/12/22

4/12/22

Ruby 3.0.4 Released

Ruby 3.0.4 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 3.0.4 Released

Ruby 3.0.4 has been released. This release includes security fixes. Please check the topics below for

4/12/22

Search

Clear search

Close search

Google apps

Main menu