Upgrade Ruby version 2.4.9 to 2.4.10, 2.5.7 to 2.5.8, 2.6.5 to 2.6.6, 2.7.0 to 2.7.1 #310
Conversation
|
Shoot, the SHA-256 hash values in that commit are for the .tar.gz files. Fixing to use .tar.xz SHA-256 hashes. Commit coming momentarily. |
|
I triple checked the hash values from the following sources: https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-4-10-released/ If someone else wants to sanity check me that'd be great. |
|
For some reason, Travis is failing to report back to GitHub about builds recently -- the build is started over at https://travis-ci.org/github/docker-library/ruby/builds/669267136 As for double checking the SHA values, I pulled this locally so I could run
|
|
Thanks for the sanity check @tianon. I've updated the missed files too. |
|
Nice, Travis is green too! 👍 |
Changes: - docker-library/ruby@a564fea: Upgrade Ruby version 2.4.9 to 2.4.10, 2.5.7 to 2.5.8, 2.6.5 to 2.6.6, 2.7.0 to 2.7.1 (docker-library/ruby#310)
… 2.7.0 to 2.7.1 (docker-library#310) * Upgrade Ruby version 2.4.9 to 2.4.10, 2.5.7 to 2.5.8, 2.6.5 to 2.6.6, 2.7.0 to 2.7.1 * correct SHA256 hash values for the .tar.xz files * updating Ruby version/hashes in a few missed files
… 2.7.0 to 2.7.1 (docker-library#310) * Upgrade Ruby version 2.4.9 to 2.4.10, 2.5.7 to 2.5.8, 2.6.5 to 2.6.6, 2.7.0 to 2.7.1 * correct SHA256 hash values for the .tar.xz files * updating Ruby version/hashes in a few missed files
2 participants
A security advisory with subsequent fixed Ruby version upgrades was just released. Bumping Ruby versions addresses the following CVEs:
CVE-2020-10933: Heap exposure vulnerability in the socket library
https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/
CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix)
https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/