Ruby Issue Tracking System

12/03/2022

11:03 PM Ruby Misc #19178: How does CRuby handle CVE issues in stdlib gems which get patched?

austin (Austin Ziegler) wrote in #note-5:
> No, they can be upgraded independently.
That is interesting. The second sentence from https://rubyreferences.github.io/rubyref/stdlib/bundled.html says "Unlike standard library, these gems ... Segaja (Andreas Schleifer)

10:14 PM Ruby Misc #19178: How does CRuby handle CVE issues in stdlib gems which get patched?

austin (Austin Ziegler) wrote in #note-3:
> Segaja (Andreas Schleifer) wrote in #note-2:
> ...
I think we have a naming difference here. I'm talking about the "default gems" as listed on https://stdgems.org/3.0.4/ for example for CRuby... Segaja (Andreas Schleifer)

09:55 PM Ruby Misc #19178: How does CRuby handle CVE issues in stdlib gems which get patched?

hsbt (Hiroshi SHIBATA) wrote in #note-1:
> >As far as I know stdlibs get only updated for the users if CRuby releases a new version. So will CRuby always release a new version if there is a critical fix an stdlib "needs" to be updated?
... Segaja (Andreas Schleifer)

09:19 PM Ruby Misc #19178 (Closed): How does CRuby handle CVE issues in stdlib gems which get patched?

If there is a CVE issue in one of the stdlibs ( https://stdgems.org/ ) which gets patched, what is CRubys approach on how to push this critical fix to the users?
As far as I know stdlibs get only updated for the users if CRuby release... Segaja (Andreas Schleifer)