Issue #20685 has been updated by nagachika (Tomoyuki Chikanaga). Thank you for your greate catch! You are totally right. ruby-3.2 seriese contains stringio-3.0.4 from the beginning. I remove the CVE reference in the GitHub release page now. https://github.com/ruby/ruby/releases/tag/v3_2_4 I will also remove the links in the release announce pages in www.ruby-lang.org afterward. ---------------------------------------- Misc #20685: Ruby 3.2.4 tag mentions unrelated changes (CVE-2024-27280) https://bugs.ruby-lang.org/issues/20685#change-109463 * Author: kenhys (Kentaro Hayashi) * Status: Open ---------------------------------------- # Problem According to https://github.com/ruby/ruby/releases/tag/v3_2_4, it mentions "CVE-2024-27280: Buffer overread vulnerability in StringIO" as a security fix, but https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/ explicitly describe that the following:

This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.

so, it is a bit strange that CVE-2023-27280 was mentioned as security fix for 3.2.x, IMHO. Please correct me if I'm wrongly interpreted it. # Expected The problematic description was removed from tags and release note. # Additional Information * https://github.com/ruby/ruby/releases/tag/v3_2_4 * mention it as security fix * https://www.ruby-lang.org/ja/news/2024/04/23/ruby-3-2-4-released/ * mention it as security fix * https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-2-4-released/ * mention it as security fix -- https://bugs.ruby-lang.org/