ruby-3.0.1

[Douglas R. Reno]

New point version

[Douglas R. Reno]

Ruby 3.0.1 Released
Posted by naruse on 5 Apr 2021

Ruby 3.0.1 has been released.

This release includes security fixes. Please check the topics below for details.

    CVE-2021-28965: XML round-trip vulnerability in REXML
    CVE-2021-28966: Path traversal in Tempfile on Windows

See the commit logs for details.

One of the vulnerabilities listed here affects us - CVE-2021-28965. The other one only affects Windows.

CVE-2021-28965

CVE-2021-28965: XML round-trip vulnerability in REXML
Posted by mame on 5 Apr 2021

There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2021-28965. We strongly recommend upgrading the REXML gem.

Details

When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.

Please update REXML gem to version 3.2.5 or later.

If you are using Ruby 2.6 or later:
    Please use Ruby 2.6.7, 2.7.3, or 3.0.1.
    Alternatively, you can use gem update rexml to update it. If you are using bundler, please add gem "rexml", ">= 3.2.5" to your Gemfile.

If you are using Ruby 2.5.8 or prior:
    Please use Ruby 2.5.9.
    You cannot use gem update rexml for Ruby 2.5.8 or prior.
    Note that Ruby 2.5 series is now EOL, so please consider upgrading Ruby to 2.6.7 or later as soon as possible.

Affected versions
    Ruby 2.5.8 or prior (You can NOT use gem upgrade rexml for this version.)
    Ruby 2.6.7 or prior
    Ruby 2.7.2 or prior
    Ruby 3.0.1 or prior
    REXML gem 3.2.4 or prior

Credits
Thanks to Juho Nurminen for discovering this issue.

History
    Originally published at 2021-04-05 12:00:00 (UTC)

[Douglas R. Reno]

Fixed at @0ec63138e9de10e2d348d1b2b2f637e5b48a266a

[Bruce Dubbs]

Milestone renamed