Actions
Misc #20685
closed
Ruby 3.2.4 tag mentions unrelated changes (CVE-2024-27280)
Status:
Closed
Assignee:
-
Description
Problem¶
According to https://github.com/ruby/ruby/releases/tag/v3_2_4,
it mentions "CVE-2024-27280: Buffer overread vulnerability in StringIO"
as a security fix, but https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
explicitly describe that the following:
This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.
so, it is a bit strange that CVE-2023-27280 was mentioned as security fix for 3.2.x, IMHO.
Please correct me if I'm wrongly interpreted it.
Expected¶
The problematic description was removed from tags and release note.
Additional Information¶
-
https://github.com/ruby/ruby/releases/tag/v3_2_4
- mention it as security fix
-
https://www.ruby-lang.org/ja/news/2024/04/23/ruby-3-2-4-released/
- mention it as security fix
-
https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-2-4-released/
- mention it as security fix
Updated by 
Updated by
Actions
Like0
Like0Like0