Ruby 2.4.2 has just been released. Let’s see what it has brought about inside.
This release of Ruby is mostly focused on security issues. So it is highly important to update your framework to this version to protect your system and your data. Here are the most important updates from the new version.
1. Buffer underrun vulnerabilities
A few Buffer underrun vulnerabilities have been fixed in the new version. One of them is concerning the sprintf
method of Kernel
module. Previously if a malicious format string with a precious specifier (*) was passed together with a large minus value, the interpreter could have crushed. Now the issue is solved.
Another problem solved is associated with OpenSSL. It focuses on the cases, when a malicious string is passed to the decode method of OpenSSL::ASN1
. Such cases are of no danger now.
2. WEBrick authetification vulnerability
This vulnerability is about the cases when clients pass an arbitrary string as the user name for the Basic authentication of WEBrick. Previously an attacker could inject malicious escape sequences to the log, which could lead to malicious control characters execution on a victim’s terminal emulator. Ruby 2.4.2 covers the issue efficiently.
3. RubyGems vulnerabilities
Besides, a few RubyGems vulnerabilities have been covered:
- a DNS request hijacking vulnerability
- an ANSI escape sequence vulnerability
- a DoS vulnerability in the query command
- a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files.
So as you see this Ruby update is extremely important to protect yourself and your customers. Be sure to update to it to avoid any malicious attacks.