From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS24940 94.130.0.0/16 X-Spam-Status: No, score=-2.9 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET,SPF_HELO_PASS, SPF_PASS,UNPARSEABLE_RELAY shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 Received: from nue.mailmanlists.eu (nue.mailmanlists.eu [94.130.110.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id C589F1F601 for ; Sat, 3 Dec 2022 22:12:01 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.b="DF3Xdrbg"; dkim-atps=neutral Received: from nue.mailmanlists.eu (localhost [127.0.0.1]) by nue.mailmanlists.eu (Postfix) with ESMTP id F15857E924; Sat, 3 Dec 2022 22:11:54 +0000 (UTC) Authentication-Results: nue.mailmanlists.eu; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=DF3Xdrbg; dkim-atps=neutral Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by nue.mailmanlists.eu (Postfix) with ESMTPS id 483747E90A for ; Sat, 3 Dec 2022 22:11:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ruby-lang.org; h=from:references:subject:mime-version:content-type: content-transfer-encoding:list-id:to:cc:content-type:from:subject:to; s=s1; bh=HEzdgliGA1bEjgaXg6iL8rBaJPpUybmhTTS073+PjUM=; b=DF3XdrbgoBGVCoK3D/XBKnaV6XufdtfrkdX7jnA1+2j9jWpw+n3MHfbnM4UUkM56al7i mwJjax7QB9t+xl9zqwwyIoevUmpJVIpSR4usqgMu7I9JNJ6qY9X8LoHtP7rDJMzXmPHjxX EJc3qWAONmW1U/BO8zygnZW3jAXoP4f1QIGnY79EVEdqtbP7fRjdYwey8bzU8DlV6vCBde xB7kOKkL7OXMfcTTOKkzluTjw+GbgPPmitsE94Sqnw8D7X5fmazo3XDlCV5NyQrSOhBbs3 BCQiHW5+MzB6G4Oe7h2NYyG30xO2+cqorIqpuz1gIJJH3oHfYMlP1Q2L1Gn9BLdw== Received: by filterdrecv-557d69979-2t4hj with SMTP id filterdrecv-557d69979-2t4hj-1-638BC9A4-15 2022-12-03 22:11:48.535052393 +0000 UTC m=+1379175.685255820 Received: from herokuapp.com (unknown) by geopod-ismtpd-3-4 (SG) with ESMTP id Fk5MAiU3QquoHUriA8RVyw for ; Sat, 03 Dec 2022 22:11:48.437 +0000 (UTC) Date: Sat, 03 Dec 2022 22:11:48 +0000 (UTC) From: "austin (Austin Ziegler)" Message-ID: References: Mime-Version: 1.0 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Misc X-Redmine-Issue-Id: 19178 X-Redmine-Issue-Author: Segaja X-Redmine-Sender: austin X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-Redmine-MailingListIntegration-Message-Ids: 87538 X-SG-EID: =?us-ascii?Q?DZv5R2lXppH4VDtnTbzozZvAfTMQDIuiqc52yQGUxibk2YmwbamuHVhEx30u+N?= =?us-ascii?Q?yD3jEB9fCp=2FPZaTvB2Tz7yxhGfc=2FN=2FzNr0P0mlD?= =?us-ascii?Q?A7179VHKmsx=2FBZCmJrleiT4DAfzPudnfVzhyigF?= =?us-ascii?Q?K5opSj4+HmL2CHJNZDOcZhFGMH=2FjXlB0osiPIh2?= =?us-ascii?Q?4vTSnqL429sp61aehxMgyeT7EXbsd2DfDfTYLJ1?= =?us-ascii?Q?Bk+ljNvPmHmp2+KwSwkeCQrVRt2Kq=2FLCWzEPhNQ?= =?us-ascii?Q?ZMmJtqNRFRCgN90pj39SQ=3D=3D?= To: ruby-core@ml.ruby-lang.org X-Entity-ID: b/2+PoftWZ6GuOu3b0IycA== Message-ID-Hash: M65NWQVY3E6656E6BWIHNUMBCFYTJU6Y X-Message-ID-Hash: M65NWQVY3E6656E6BWIHNUMBCFYTJU6Y X-MailFrom: bounces+313651-b711-ruby-core=ml.ruby-lang.org@em5188.ruby-lang.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.3 Precedence: list Reply-To: Ruby developers Subject: [ruby-core:111186] [Ruby master Misc#19178] How does CRuby handle CVE issues in stdlib gems which get patched? List-Id: Ruby developers Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Issue #19178 has been updated by austin (Austin Ziegler). Segaja (Andreas Schleifer) wrote in #note-2: > hsbt (Hiroshi SHIBATA) wrote in #note-1: > > >As far as I know stdlibs get only updated for the users if CRuby releases a new version. So will CRuby always release a new version if there is a critical fix an stdlib "needs" to be updated? > > > > The all of stdlibs are maintained CRuby committers includes me. If the vulnerability is found and assign CVEs, We will release the new version of stdlibs at first. After that, we may release the new version of Ruby. > > "may"? This sounds like sometimes CVEs are not considered "important" enough and do not warrant a new CRuby release. Or do I misunderstand this? Since the stdlib gems are able to be upgraded independently of Ruby, the need for *immediate* CRuby releases (or other Ruby release versions) is reduced. ---------------------------------------- Misc #19178: How does CRuby handle CVE issues in stdlib gems which get patched? https://bugs.ruby-lang.org/issues/19178#change-100470 * Author: Segaja (Andreas Schleifer) * Status: Open * Priority: Normal ---------------------------------------- If there is a CVE issue in one of the stdlibs ( https://stdgems.org/ ) which gets patched, what is CRubys approach on how to push this critical fix to the users? As far as I know stdlibs get only updated for the users if CRuby releases a new version. So will CRuby always release a new version if there is a critical fix an stdlib "needs" to be updated? -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/