ruby-security-ann

1–30 of 219

Security announcements for Ruby, Rails, Rubygems, Bundler, and other Ruby ecosystem projects.

0 selected

12/13/22

[ANN] rails-html-sanitizer security update v1.4.4

rails-html-sanitizer v1.4.4 has been released. This is a security update which addresses multiple

unread,

[ANN] rails-html-sanitizer security update v1.4.4

rails-html-sanitizer v1.4.4 has been released. This is a security update which addresses multiple

12/13/22

12/13/22

[ANN] loofah security update v2.19.1

loofah v2.19.1 has been released. This a security update which addresses multiple CVEs, and users are

unread,

[ANN] loofah security update v2.19.1

loofah v2.19.1 has been released. This a security update which addresses multiple CVEs, and users are

12/13/22

12/8/22

Ruby 3.1.3 Released

Ruby 3.1.3 has been released. This release includes a security fix. Please check the topics below for

unread,

Ruby 3.1.3 Released

Ruby 3.1.3 has been released. This release includes a security fix. Please check the topics below for

12/8/22

12/8/22

Ruby 2.7.7 Released

Ruby 2.7.7 has been released. This release includes a security fix. Please check the topics below for

unread,

Ruby 2.7.7 Released

Ruby 2.7.7 has been released. This release includes a security fix. Please check the topics below for

12/8/22

12/8/22

CVE-2021-33621: HTTP response splitting in CGI

We have released the cgi gem version 0.3.5, 0.2.2, and 0.1.0.2 that has a security fix for a HTTP

unread,

CVE-2021-33621: HTTP response splitting in CGI

We have released the cgi gem version 0.3.5, 0.2.2, and 0.1.0.2 that has a security fix for a HTTP

12/8/22

12/8/22

Ruby 3.0.5 Released

Ruby 3.0.5 has been released. This release includes a security fix. Please check the topics below for

unread,

Ruby 3.0.5 Released

Ruby 3.0.5 has been released. This release includes a security fix. Please check the topics below for

12/8/22

12/7/22

[ANN] Nokogiri security update v1.13.10

Nokogiri v1.13.10 has been released with a security update for CRuby users. The release notes[1] are

unread,

[ANN] Nokogiri security update v1.13.10

Nokogiri v1.13.10 has been released with a security update for CRuby users. The release notes[1] are

12/7/22

10/18/22

[ANN] Nokogiri security update v1.13.9

Nokogiri v1.13.9 has been released with a security update for CRuby users. The release notes are

unread,

[ANN] Nokogiri security update v1.13.9

Nokogiri v1.13.9 has been released with a security update for CRuby users. The release notes are

10/18/22

Aaron Patterson

7/12/22

[CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record

There is a possible escalation to RCE when using YAML serialized columns in Active Record. This

unread,

[CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record

There is a possible escalation to RCE when using YAML serialized columns in Active Record. This

7/12/22

6/9/22

[CVE-2022-32209] Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This

unread,

[CVE-2022-32209] Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This

6/9/22

6/9/22

[ANN] mechanize security update v2.8.5

Mechanize v2.8.5 has been released with a security update. The release notes are reproduced below for

unread,

[ANN] mechanize security update v2.8.5

Mechanize v2.8.5 has been released with a security update. The release notes are reproduced below for

6/9/22

Aaron Patterson

5/27/22

[CVE-2022-30123] Possible shell escape sequence injection vulnerability in Rack

There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger

unread,

[CVE-2022-30123] Possible shell escape sequence injection vulnerability in Rack

There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger

5/27/22

Aaron Patterson

5/27/22

[CVE-2022-30122] Denial of Service Vulnerability in Rack Multipart Parsing

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This

unread,

[CVE-2022-30122] Denial of Service Vulnerability in Rack Multipart Parsing

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This

5/27/22

5/8/22

[ANN] Nokogiri security update v1.13.6

Nokogiri v1.13.6 has been released with a security update for CRuby users. The release notes are

unread,

[ANN] Nokogiri security update v1.13.6

Nokogiri v1.13.6 has been released with a security update for CRuby users. The release notes are

5/8/22

5/4/22

[ANN] Nokogiri security update v1.13.5

Nokogiri v1.13.5 has been released with a security update for CRuby users. The changelog entry is

unread,

[ANN] Nokogiri security update v1.13.5

Nokogiri v1.13.5 has been released with a security update for CRuby users. The changelog entry is

5/4/22

Aaron Patterson

4/26/22

[CVE-2022-27777] Possible XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash

unread,

[CVE-2022-27777] Possible XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash

4/26/22

Aaron Patterson

4/26/22

[CVE-2022-22577] Possible XSS Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned

unread,

[CVE-2022-22577] Possible XSS Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned

4/26/22

4/12/22

Ruby 2.6.10 Released

Ruby 2.6.10 has been released. This release includes a security fix. Please check the topics below

unread,

Ruby 2.6.10 Released

Ruby 2.6.10 has been released. This release includes a security fix. Please check the topics below

4/12/22

4/12/22

CVE-2022-28739: Buffer overrun in String-to-Float conversion

A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This

unread,

CVE-2022-28739: Buffer overrun in String-to-Float conversion

A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This

4/12/22

4/12/22

CVE-2022-28738: Double free in Regexp compilation

A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned

unread,

CVE-2022-28738: Double free in Regexp compilation

A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned

4/12/22

4/12/22

Ruby 3.0.4 Released

Ruby 3.0.4 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 3.0.4 Released

Ruby 3.0.4 has been released. This release includes security fixes. Please check the topics below for

4/12/22

4/12/22

Ruby 2.7.6 Released

Ruby 2.7.6 has been released. This release includes a security fix. Please check the topics below for

unread,

Ruby 2.7.6 Released

Ruby 2.7.6 has been released. This release includes a security fix. Please check the topics below for

4/12/22

4/12/22

Ruby 3.1.2 Released

Ruby 3.1.2 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 3.1.2 Released

Ruby 3.1.2 has been released. This release includes security fixes. Please check the topics below for

4/12/22

4/11/22

[ANN] Nokogiri security update v1.13.4

Nokogiri v1.13.4 has been released, with multiple security updates for both CRuby and JRuby users.

unread,

[ANN] Nokogiri security update v1.13.4

Nokogiri v1.13.4 has been released, with multiple security updates for both CRuby and JRuby users.

4/11/22

Aaron Patterson

3/8/22

[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage

There is a possible code injection vulnerability in the Active Storage module of Rails. This

unread,

[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage

There is a possible code injection vulnerability in the Active Storage module of Rails. This

3/8/22

2/22/22

[ANN] Nokogiri security update v1.13.2

Final update: Nokogiri v1.13.3 has been released which patches libxml2 to address the HTML4 parsing

unread,

[ANN] Nokogiri security update v1.13.2

Final update: Nokogiri v1.13.3 has been released which patches libxml2 to address the HTML4 parsing

2/22/22

Aaron Patterson

2/11/22

[CVE-2022-23633] Possible exposure of information vulnerability in Action Pack

## Impact Under certain circumstances response bodies will not be closed, for example a bug in a

unread,

[CVE-2022-23633] Possible exposure of information vulnerability in Action Pack

## Impact Under certain circumstances response bodies will not be closed, for example a bug in a

2/11/22

Aaron Patterson

12/14/21

[CVE-2021-44528] Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack.

unread,

[CVE-2021-44528] Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack.

12/14/21

11/24/21

Ruby 3.0.3 Released

Ruby 3.0.3 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 3.0.3 Released

Ruby 3.0.3 has been released. This release includes security fixes. Please check the topics below for

11/24/21

11/24/21

CVE-2021-41816: Buffer Overrun in CGI.escape_html

A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been

unread,

CVE-2021-41816: Buffer Overrun in CGI.escape_html

A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been

11/24/21

Search

Clear search

Close search

Google apps

Main menu