From: "kenhys (Kentaro Hayashi) via ruby-core" <ruby-core@...>
Date: 2024-08-19T09:21:10+00:00
Subject: [ruby-core:118892] [Ruby master Misc#20685] Ruby 3.2.4 tag mentions unrelated changes (CVE-2024-27280)

Issue #20685 has been reported by kenhys (Kentaro Hayashi).

----------------------------------------
Misc #20685: Ruby 3.2.4 tag mentions unrelated changes (CVE-2024-27280)
https://bugs.ruby-lang.org/issues/20685

* Author: kenhys (Kentaro Hayashi)
* Status: Open
----------------------------------------
# Problem

According to https://github.com/ruby/ruby/releases/tag/v3_2_4,
it mentions "CVE-2024-27280: Buffer overread vulnerability in StringIO"
as a security fix, but https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
explicitly describe that the following:

> This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.

so, it is a bit strange that CVE-2023-27280 was mentioned as security fix for 3.2.x, IMHO.

Please correct me if I'm wrongly interpreted it.

# Expected

The problematic description was removed from tags and release note.

# Additional Information

* https://github.com/ruby/ruby/releases/tag/v3_2_4
  * mention it as security fix
* https://www.ruby-lang.org/ja/news/2024/04/23/ruby-3-2-4-released/
  * mention it as security fix
* https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-2-4-released/
  * mention it as security fix









-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/