Ruby 2.6.5, 2.5.7 and 2.4.8 to be Released

Updates to the different 2.x versions of Ruby brings different dangerous bugs fixes
02 October 2019   366

Corrective releases of the programming language Ruby 2.6.5, 2.5.7 and 2.4.8 have been generated in which four vulnerabilities have been fixed. The most dangerous vulnerability (CVE-2019-16255) is in the Shell standard library (lib / shell.rb), which allows code substitution. In the case of processing the data received from the user in the first argument of the Shell # [] or Shell # test methods used to check for the presence of a file, the attacker can achieve an arbitrary Ruby method call.

Other fixed issues:

  • CVE-2019-16254 - susceptibility of the embedded WEBrick http-server to the attack on the separation of HTTP responses (if the program substitutes unverified data in the HTTP response header, then you can split the header through inserting the line feed character);
  • CVE-2019-15845 substitution of the null character (\ 0) into the ones checked through the methods "File.fnmatch" and "File.fnmatch?" file paths can be used for false positives;
  • CVE-2019-16201 - denial of service in the Diges authentication module for WEBrick.

You can get more info about each version at the official website pages. (2.6.5, 2.5.7 and 2.4.8)

Ruby/RoR News Digest 9-15.11

The delegation challenge of Ruby 2.7, feedback about writing own Ruby book, testing at scale at Stripe podcast and even more
15 November 2019   112

Greetings! I hope your week went great! Here's new "gemmy" programming news digest.

Learn how to handle attachmens in Action Text in Rails 6, download large Heroku Postgres backup, check the update of Tomo and more.

Guides

  • Handling Attachments in Action Text in Rails 6 

Second part of the Action Text tutorial that focuses on blocking files by type, how files are rendered, and previewing PDFs.

  • Downloading Large Heroku Postgres Backups

Learn how to download big Heroke postgres backups in a proper and convenient way.

Articles

  • The Delegation Challenge of Ruby 2.7 

This is a somewhat odd situation where a change to arguments changes delegation so things are handled differently in Ruby 2.6, 2.7, and 3.0. It’s a tough nut to crack and a great example of language design related edge cases.

  • Feedback About Writing A Technical Ruby Book 

Author’s experience writing a book about programming.

Updates

  • Tomo

A "friendly" command-line tool for deploying Rails apps

  • Strings::Case

This solution allows you to convert strings between different cases

  • Reek

It will detect your code's smell, whatever that means

  • Invisible Captcha

Spam protector for Rails apps

Video

  • Testing Active Job in Ruby on Rails

Podcast

  • Discussing Testing at Scale at Stripe

In 48 minute interview, Nelson Elhage who spent 7 years at Stripe spearheading developer productivity initiatives, shares what he learnt and digs into why Stripe created the Sorbet Ruby type checker.