Current ruby release (v2.7.2p137) out of date (now v2.7.6p?)
jufemaiz opened this issue · comments
RUBY_VERSION: 2.7.5
RUBY_PATCHLEVEL: 203
RUBY_PLATFORM: x86_64-linux
RUBY_RELEASE_DATE: 2021-11-24
Note: the source is a lambci S3 bucket which is opaque to me as to how that is managed.
https://github.com/lambci/docker-lambda/blob/master/ruby2.7/run/Dockerfile#L3
Relevant information:
v2.7.3
This release includes security fixes. Please check the topics below for details.
CVE-2021-28965: XML round-trip vulnerability in REXML
CVE-2021-28966: Path traversal in Tempfile on Windows
v2.7.4
This release includes security fixes. Please check the topics below for details.
CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
CVE-2021-31799: A command injection vulnerability in RDoc
v2.7.5
This release includes security fixes. Please check the topics below for details.
CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
CVE-2021-41816: Buffer Overrun in CGI.escape_html
CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
v2.7.6
This release includes a security fix.
CVE-2022-28739: Buffer overrun in String-to-Float conversion