Rubies 2.2.10, 2.3.7, 2.4.4, and 2.5.1 are now available
Change effective on 28 March 2018
Ruby versions 2.2.10, 2.3.7, 2.4.4, and 2.5.1 are security releases made due to these vulnerabilities:
- CVE-2017-17742: Response splitting vulnerability in WEBrick
- CVE-2018-6914: Directory traversal with Dir.mktmpdir and Tempfile
- CVE-2018-8777: webrick large request updates
- CVE-2018-8779: Unix domain socket and a path containing a null character
- CVE-2018-8778: controlled buffer under-read in pack_unpack_internal()
- CVE-2018-8780: NUL-character treatment with Dir
- RubyGem 2.7.6 (see https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/)
To ensure that your application is not impacted by any of these vulnerabilities please upgrade your app to the latest version in the series. You can see the latest versions on the Ruby support page.
Ruby 2.2.10 is the last release in the 2.2 series. Please upgrade to at least 2.3.7 or higher as soon as possible.