From: "ioquatix (Samuel Williams)" Date: 2022-12-04T00:03:19+00:00 Subject: [ruby-core:111192] [Ruby master Misc#19178] How does CRuby handle CVE issues in stdlib gems which get patched? Issue #19178 has been updated by ioquatix (Samuel Williams). I've created an initial document, trying to distill some of the discussions here into a single place that downstream package maintainers can use as guidance. https://github.com/ruby/ruby/pull/6856 Please help expand this document to clarify various points about how Ruby itself should be distributed and the process around it. ---------------------------------------- Misc #19178: How does CRuby handle CVE issues in stdlib gems which get patched? https://bugs.ruby-lang.org/issues/19178#change-100476 * Author: Segaja (Andreas Schleifer) * Status: Open * Priority: Normal ---------------------------------------- If there is a CVE issue in one of the stdlibs ( https://stdgems.org/ ) which gets patched, what is CRubys approach on how to push this critical fix to the users? As far as I know stdlibs get only updated for the users if CRuby releases a new version. So will CRuby always release a new version if there is a critical fix an stdlib "needs" to be updated? -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/