From: "alanwu (Alan Wu) via ruby-core" <ruby-core@...>
Date: 2025-11-06T16:20:02+00:00
Subject: [ruby-core:123709] [Ruby Bug#21667] CVE-2024-12224

Issue #21667 has been updated by alanwu (Alan Wu).

Status changed from Feedback to Closed

https://rustsec.org/advisories/RUSTSEC-2024-0421.html

This seems to be from MMTk depending on the `idna` crate. MMTk is experimental and requires a separate build step, so ruby-build probably doesn't even build it.

In any case, we have already upgraded past the vulnerable version in commit:d8774ec98fb.

----------------------------------------
Bug #21667: CVE-2024-12224
https://bugs.ruby-lang.org/issues/21667#change-115097

* Author: mcandre (Andrew Pennebaker)
* Status: Closed
* Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN
----------------------------------------
ruby-build triggers Wiz finding CVE-2024-12224 for the leftover build files, when compiling Ruby from source.



-- 
https://bugs.ruby-lang.org/
______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/