Ruby 2.6.5, 2.5.7 and 2.4.8 to be Released

Updates to the different 2.x versions of Ruby brings different dangerous bugs fixes
02 October 2019   636

Corrective releases of the programming language Ruby 2.6.5, 2.5.7 and 2.4.8 have been generated in which four vulnerabilities have been fixed. The most dangerous vulnerability (CVE-2019-16255) is in the Shell standard library (lib / shell.rb), which allows code substitution. In the case of processing the data received from the user in the first argument of the Shell # [] or Shell # test methods used to check for the presence of a file, the attacker can achieve an arbitrary Ruby method call.

Other fixed issues:

  • CVE-2019-16254 - susceptibility of the embedded WEBrick http-server to the attack on the separation of HTTP responses (if the program substitutes unverified data in the HTTP response header, then you can split the header through inserting the line feed character);
  • CVE-2019-15845 substitution of the null character (\ 0) into the ones checked through the methods "File.fnmatch" and "File.fnmatch?" file paths can be used for false positives;
  • CVE-2019-16201 - denial of service in the Diges authentication module for WEBrick.

You can get more info about each version at the official website pages. (2.6.5, 2.5.7 and 2.4.8)

Git 2.26 to be Released

Git is one of the most popular source code management system and new version brings a lot of changes and updates
23 March 2020   264

Git 2.26.0 distributed source code management system is available. Git is one of the most popular, reliable and high-performance version control systems, providing flexible non-linear development tools based on branch branching and merging. To ensure the integrity of the story and resistance to changes in hindsight, implicit hashing of the entire previous history in each commit is used, and it is also possible to digitally sign the developers of individual tags and commits.

Compared to the previous release, the new version adopted 504 changes prepared with the participation of 64 developers, of which 12 took part in the development for the first time. Key innovations:

  • The default transition to the second version of the Git communication protocol, which is used when remotely connecting the client to the Git server, has been completed.
  • Added option "--show-scope" to the "git config" command, which makes it easier to identify the place in which certain settings are defined
  • The credential binding settings allow the use of masks in the URL.
  • The extension of experimental support for partial clones was continued, which allows transferring only part of the data and working with an incomplete copy of the repository.
  • The performance of the "git grep" command, which is used to search both in the current contents of the repository and in historical revisions, is noticeably increased.
  • Added support for autocompletion of input of subcommands, paths, links, and other arguments of the "git worktree" command, which allows working with several working copies of the repository.
  • Added support for vivid colors for which there are ANSI escape sequences.
  • A new version of the fsmonitor-watchman script has been added, which provides integration with the Facebook Watchman mechanism to speed up tracking of file changes and the appearance of new files.
  • Optimizations have been added to speed up partial clones operations related to the use of bitmap machinery to avoid full enumeration of all objects during recoil filtering.
  • The git rebase command has been moved to another backend using the default 'merge' mechanism (previously used for rebase -i) instead of 'patch + apply'.
  • An example of the authentication parameter handler specified through .netrc is brought to a form suitable for use out of the box.
  • Added gpg.minTrustLevel setting to set the minimum level of trust for various elements that perform digital signature verification.
  • Added "--pathspec-from-file" option to "git rm" and "git stash".
  • Continued improvement of test sets in preparation for the transition to the SHA-2 hash algorithm instead of SHA-1.

Get more at the official mailing and the  Github blog and the Github.