Misc #20685
closed
Ruby 3.2.4 tag mentions unrelated changes (CVE-2024-27280)
Description
Problem¶
According to https://github.com/ruby/ruby/releases/tag/v3_2_4,
it mentions "CVE-2024-27280: Buffer overread vulnerability in StringIO"
as a security fix, but https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
explicitly describe that the following:
This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.
so, it is a bit strange that CVE-2023-27280 was mentioned as security fix for 3.2.x, IMHO.
Please correct me if I'm wrongly interpreted it.
Expected¶
The problematic description was removed from tags and release note.
Additional Information¶
-
https://github.com/ruby/ruby/releases/tag/v3_2_4
- mention it as security fix
-
https://www.ruby-lang.org/ja/news/2024/04/23/ruby-3-2-4-released/
- mention it as security fix
-
https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-2-4-released/
- mention it as security fix
Updated by nagachika (Tomoyuki Chikanaga) 5 months ago
Thank you for your greate catch! You are totally right. ruby-3.2 seriese contains stringio-3.0.4 from the beginning.
I remove the CVE reference in the GitHub release page now. https://github.com/ruby/ruby/releases/tag/v3_2_4
I will also remove the links in the release announce pages in www.ruby-lang.org afterward.
Updated by hsbt (Hiroshi SHIBATA) 4 months ago
- Status changed from Open to Closed
Removed them at https://github.com/ruby/www.ruby-lang.org/pull/3347