Opened 3 years ago
Closed 3 years ago
New point version.
This seems to be a security release for rdoc, fixing a vulnerability from 2012 and 2015.
There are multiple vulnerabilities about Cross-Site Scripting (XSS) in jQuery shipped with RDoc which bundled in Ruby. All Ruby users are recommended to update Ruby to the latest release which includes the fixed version of RDoc.
The following vulnerabilities have been reported.
It is strongly recommended for all Ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible. You also have to re-generate existing RDoc documentations to completely mitigate the vulnerabilities.
Ruby 2.3 series: all
Ruby 2.4 series: 2.4.6 and earlier
Ruby 2.5 series: 2.5.5 and earlier
Ruby 2.6 series: 2.6.3 and earlier
prior to master commit f308ab2131ee675000926540cbb8c13c91dc3be5
RDoc is a static documentation generation tool. Patching the tool itself is insufficient to mitigate these vulnerabilities.
So, RDoc documentations generated with previous versions have to be re-generated with newer RDoc.
In principle, you should upgrade your Ruby installation to the latest version. RDoc 6.1.2 or later includes the fix for the vulnerabilities, so upgrade RDoc to the latest version if you can’t upgrade Ruby itself.
Note that as mentioned earlier, you have to regenerate existing RDoc documentations.
gem install rdoc -f
Update: The initial version of this post partially mentioned rdoc-6.1.1.gem, which was still vulnerable. Please make sure that you install rdoc-6.1.2 or later.
Regarding the development version, update to the latest HEAD of master branch.
Thanks to Chris Seaton for reporting the issue.
Originally published at 2019-08-28 09:00:00 UTC
RDoc version fixed at 2019-08-28 11:50:00 UTC
Minor language fixes at 2019-08-28 12:30:00 UTC
Push back to version 9.0.
Promote to high
Fixed at r22075
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2022 Gerard Beekmans.