From: "nagachika (Tomoyuki Chikanaga) via ruby-core" Date: 2024-08-19T10:13:56+00:00 Subject: [ruby-core:118893] [Ruby master Misc#20685] Ruby 3.2.4 tag mentions unrelated changes (CVE-2024-27280) Issue #20685 has been updated by nagachika (Tomoyuki Chikanaga). Thank you for your greate catch! You are totally right. ruby-3.2 seriese contains stringio-3.0.4 from the beginning. I remove the CVE reference in the GitHub release page now. https://github.com/ruby/ruby/releases/tag/v3_2_4 I will also remove the links in the release announce pages in www.ruby-lang.org afterward. ---------------------------------------- Misc #20685: Ruby 3.2.4 tag mentions unrelated changes (CVE-2024-27280) https://bugs.ruby-lang.org/issues/20685#change-109463 * Author: kenhys (Kentaro Hayashi) * Status: Open ---------------------------------------- # Problem According to https://github.com/ruby/ruby/releases/tag/v3_2_4, it mentions "CVE-2024-27280: Buffer overread vulnerability in StringIO" as a security fix, but https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/ explicitly describe that the following: > This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later. so, it is a bit strange that CVE-2023-27280 was mentioned as security fix for 3.2.x, IMHO. Please correct me if I'm wrongly interpreted it. # Expected The problematic description was removed from tags and release note. # Additional Information * https://github.com/ruby/ruby/releases/tag/v3_2_4 * mention it as security fix * https://www.ruby-lang.org/ja/news/2024/04/23/ruby-3-2-4-released/ * mention it as security fix * https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-2-4-released/ * mention it as security fix -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/