
Issue #19178 has been updated by austin (Austin Ziegler). Segaja (Andreas Schleifer) wrote in #note-4:
austin (Austin Ziegler) wrote in #note-3:
"may"? This sounds like sometimes CVEs are not considered "important" enough and do not warrant a new CRuby release. Or do I misunderstand this?
Since the stdlib gems are able to be upgraded independently of Ruby, the need for *immediate* CRuby releases (or other Ruby release versions) is reduced.
I think we have a naming difference here. I'm talking about the "default gems" as listed on https://stdgems.org/3.0.4/ for example for CRuby version 3.0.4. From all I understood these "default gems" are shipped with the main ruby version and can not be updated independently. So my question is how CVEs in those (for example the `json` default gem) will be handled.
No, they can be upgraded independently. ```console $ ruby -rjson -e 'puts "JSON: #{JSON::VERSION}"' JSON: 2.6.1 $ gem search '^json$' *** REMOTE GEMS *** json (2.6.2 ruby java, 1.1.5 x86-linux, 1.1.1 mswin32) $ gem install json Fetching json-2.6.2.gem Building native extensions. This could take a while... Successfully installed json-2.6.2 Parsing documentation for json-2.6.2 Installing ri documentation for json-2.6.2 Done installing documentation for json after 0 seconds 1 gem installed $ ruby -rjson -e 'puts "JSON: #{JSON::VERSION}"' JSON: 2.6.2 ``` I’m currently using Ruby 3.1. ---------------------------------------- Misc #19178: How does CRuby handle CVE issues in stdlib gems which get patched? https://bugs.ruby-lang.org/issues/19178#change-100472 * Author: Segaja (Andreas Schleifer) * Status: Open * Priority: Normal ---------------------------------------- If there is a CVE issue in one of the stdlibs ( https://stdgems.org/ ) which gets patched, what is CRubys approach on how to push this critical fix to the users? As far as I know stdlibs get only updated for the users if CRuby releases a new version. So will CRuby always release a new version if there is a critical fix an stdlib "needs" to be updated? -- https://bugs.ruby-lang.org/