ruby-security-ann

1–30 of 211

Security announcements for Ruby, Rails, Rubygems, Bundler, and other Ruby ecosystem projects.

0 selected

Aaron Patterson

Jul 12

[CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record

There is a possible escalation to RCE when using YAML serialized columns in Active Record. This

unread,

[CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record

There is a possible escalation to RCE when using YAML serialized columns in Active Record. This

Jul 12

Jun 9

[CVE-2022-32209] Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This

unread,

[CVE-2022-32209] Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This

Jun 9

Jun 9

[ANN] mechanize security update v2.8.5

Mechanize v2.8.5 has been released with a security update. The release notes are reproduced below for

unread,

[ANN] mechanize security update v2.8.5

Mechanize v2.8.5 has been released with a security update. The release notes are reproduced below for

Jun 9

Aaron Patterson

May 27

[CVE-2022-30123] Possible shell escape sequence injection vulnerability in Rack

There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger

unread,

[CVE-2022-30123] Possible shell escape sequence injection vulnerability in Rack

There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger

May 27

Aaron Patterson

May 27

[CVE-2022-30122] Denial of Service Vulnerability in Rack Multipart Parsing

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This

unread,

[CVE-2022-30122] Denial of Service Vulnerability in Rack Multipart Parsing

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This

May 27

May 8

[ANN] Nokogiri security update v1.13.6

Nokogiri v1.13.6 has been released with a security update for CRuby users. The release notes are

unread,

[ANN] Nokogiri security update v1.13.6

Nokogiri v1.13.6 has been released with a security update for CRuby users. The release notes are

May 8

May 4

[ANN] Nokogiri security update v1.13.5

Nokogiri v1.13.5 has been released with a security update for CRuby users. The changelog entry is

unread,

[ANN] Nokogiri security update v1.13.5

Nokogiri v1.13.5 has been released with a security update for CRuby users. The changelog entry is

May 4

Aaron Patterson

Apr 26

[CVE-2022-27777] Possible XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash

unread,

[CVE-2022-27777] Possible XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash

Apr 26

Aaron Patterson

Apr 26

[CVE-2022-22577] Possible XSS Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned

unread,

[CVE-2022-22577] Possible XSS Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned

Apr 26

Apr 12

Ruby 2.6.10 Released

Ruby 2.6.10 has been released. This release includes a security fix. Please check the topics below

unread,

Ruby 2.6.10 Released

Ruby 2.6.10 has been released. This release includes a security fix. Please check the topics below

Apr 12

Apr 12

CVE-2022-28739: Buffer overrun in String-to-Float conversion

A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This

unread,

CVE-2022-28739: Buffer overrun in String-to-Float conversion

A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This

Apr 12

Apr 12

CVE-2022-28738: Double free in Regexp compilation

A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned

unread,

CVE-2022-28738: Double free in Regexp compilation

A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned

Apr 12

Apr 12

Ruby 3.0.4 Released

Ruby 3.0.4 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 3.0.4 Released

Ruby 3.0.4 has been released. This release includes security fixes. Please check the topics below for

Apr 12

Apr 12

Ruby 2.7.6 Released

Ruby 2.7.6 has been released. This release includes a security fix. Please check the topics below for

unread,

Ruby 2.7.6 Released

Ruby 2.7.6 has been released. This release includes a security fix. Please check the topics below for

Apr 12

Apr 12

Ruby 3.1.2 Released

Ruby 3.1.2 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 3.1.2 Released

Ruby 3.1.2 has been released. This release includes security fixes. Please check the topics below for

Apr 12

Apr 11

[ANN] Nokogiri security update v1.13.4

Nokogiri v1.13.4 has been released, with multiple security updates for both CRuby and JRuby users.

unread,

[ANN] Nokogiri security update v1.13.4

Nokogiri v1.13.4 has been released, with multiple security updates for both CRuby and JRuby users.

Apr 11

Aaron Patterson

Mar 8

[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage

There is a possible code injection vulnerability in the Active Storage module of Rails. This

unread,

[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage

There is a possible code injection vulnerability in the Active Storage module of Rails. This

Mar 8

Feb 22

[ANN] Nokogiri security update v1.13.2

Final update: Nokogiri v1.13.3 has been released which patches libxml2 to address the HTML4 parsing

unread,

[ANN] Nokogiri security update v1.13.2

Final update: Nokogiri v1.13.3 has been released which patches libxml2 to address the HTML4 parsing

Feb 22

Aaron Patterson

Feb 11

[CVE-2022-23633] Possible exposure of information vulnerability in Action Pack

## Impact Under certain circumstances response bodies will not be closed, for example a bug in a

unread,

[CVE-2022-23633] Possible exposure of information vulnerability in Action Pack

## Impact Under certain circumstances response bodies will not be closed, for example a bug in a

Feb 11

Aaron Patterson

12/14/21

[CVE-2021-44528] Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack.

unread,

[CVE-2021-44528] Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack.

12/14/21

11/24/21

Ruby 3.0.3 Released

Ruby 3.0.3 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 3.0.3 Released

Ruby 3.0.3 has been released. This release includes security fixes. Please check the topics below for

11/24/21

11/24/21

CVE-2021-41816: Buffer Overrun in CGI.escape_html

A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been

unread,

CVE-2021-41816: Buffer Overrun in CGI.escape_html

A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been

11/24/21

11/24/21

Ruby 2.7.5 Released

Ruby 2.7.5 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 2.7.5 Released

Ruby 2.7.5 has been released. This release includes security fixes. Please check the topics below for

11/24/21

11/24/21

CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse

A cookie prefix spoofing vulnerability was discovered in CGI::Cookie.parse. This vulnerability has

unread,

CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse

A cookie prefix spoofing vulnerability was discovered in CGI::Cookie.parse. This vulnerability has

11/24/21

11/24/21

Ruby 2.6.9 Released

Ruby 2.6.9 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 2.6.9 Released

Ruby 2.6.9 has been released. This release includes security fixes. Please check the topics below for

11/24/21

9/27/21

Nokogiri security update v1.12.5

Nokogiri v1.12.5 was released on 2021-09-27 which contains a fix for CVE-2021-41098, fully described

unread,

Nokogiri security update v1.12.5

Nokogiri v1.12.5 was released on 2021-09-27 which contains a fix for CVE-2021-41098, fully described

9/27/21

Aaron Patterson

8/19/21

[CVE-2021-22942] Possible Open Redirect in Host Authorization Middleware

# Possible Open Redirect in Host Authorization Middleware There is a possible open redirect

unread,

[CVE-2021-22942] Possible Open Redirect in Host Authorization Middleware

# Possible Open Redirect in Host Authorization Middleware There is a possible open redirect

8/19/21

7/7/21

Ruby 2.6.8 Released

Ruby 2.6.8 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 2.6.8 Released

Ruby 2.6.8 has been released. This release includes security fixes. Please check the topics below for

7/7/21

7/7/21

Ruby 2.7.4 Released

Ruby 2.7.4 has been released. This release includes security fixes. Please check the topics below for

unread,

Ruby 2.7.4 Released

Ruby 2.7.4 has been released. This release includes security fixes. Please check the topics below for

7/7/21

7/7/21

CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP

A StartTLS stripping vulnerability was discovered in Net::FTP. This vulnerability has been assigned

unread,

CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP

A StartTLS stripping vulnerability was discovered in Net::FTP. This vulnerability has been assigned

7/7/21

Search

Clear search

Close search

Google apps

Main menu