Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5848 Ruby 3.2.0 Preview 3 Released 14 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby Publisher: Ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade Original Bulletin: https://www.ruby-lang.org/en/news/2022/11/11/ruby-3-2-0-preview3-released/ Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- Ruby 3.2.0 Preview 3 Released Posted by naruse on 11 Nov 2022 We are pleased to announce the release of Ruby 3.2.0-preview3. Ruby 3.2 adds many features and performance improvements. WASI based WebAssembly support This is an initial port of WASI based WebAssembly support. This enables a CRuby binary to be available on Web browser, Serverless Edge environment, and other WebAssembly/WASI embedders. Currently this port passes basic and bootstrap test suites not using Thread API. [opCgKy2] Background WebAssembly (Wasm) is originally introduced to run programs safely and fast in web browsers. But its objective - running programs efficinently with security on various environment - is long wanted not only by web but also by general applications. WASI (The WebAssembly System Interface) is designed for such use cases. Though such applications need to communicate with operating systems, WebAssembly runs on a virtual machine which didn t have a system interface. WASI standardizes it. WebAssembly/WASI Support in Ruby intends to leverage those projects. It enables Ruby developers to write applications which runs on such promised platform. Use case This support encourages developers can utilize CRuby in WebAssembly environment. An example use case of it is TryRuby playground s CRuby support. Now you can try original CRuby in your web browser. Technical points Today s WASI and WebAssembly itself has some missing features to implement Fiber, exception, and GC because it s still evolving and also for security reasons. So CRuby fills the gap by using Asyncify, which is a binary transformation technique to control execution in userland. In addition, we built a VFS on top of WASI so that we can easily pack Ruby apps into a single .wasm file. This makes distribution of Ruby apps a bit easier. Related links o Add WASI based WebAssembly support #5407 o An Update on WebAssembly/WASI Support in Ruby Regexp improvements against ReDoS It is known that Regexp matching may take unexpectedly long. If your code attempts to match an possibly inefficient Regexp against an untrusted input, an attacker may exploit it for efficient Denial of Service (so-called Regular expression DoS, or ReDoS). We have introduced two improvements that significantly mitigate ReDoS. Improved Regexp matching algorithm Since Ruby 3.2, Regexp s matching algorithm has been greatly improved by using memoization technique. # This matching takes 10 sec. in Ruby 3.1, and does 0.003 sec. in Ruby 3.2 /^a*ba*$/ =~ "a" * 50000 + "x" The improved matching algorithm allows most of Regexp matching (about 90% in our experiments) to be completed in linear time. (For preview users: this optimization may consume memory proportional to the input length for each matching. We expect no practical problems to arise because this memory allocation is usually delayed, and a normal Regexp matching should consume at most 10 times as much memory as the input length. If you run out of memory when matching Regexps in a real-world application, please report it.) The original proposal is https://bugs.ruby-lang.org/issues/19104 Regexp timeout The optimization above cannot be applied to some kind of regular expressions, such as including advanced features (e.g., back-references or look-around), or with huge fixed number of repetitions. As a fallback measure, a timeout feature for Regexp matching is also introduced. Regexp.timeout = 1.0 /^a*ba*()\1$/ =~ "a" * 50000 + "x" #=> Regexp::TimeoutError is raised in one second Note that Regexp.timeout is a global configuration. If you want to use different timeout settings for some special Regexps, you may want to use timeout keyword for Regexp.new . Regexp.timeout = 1.0 # This regexp has no timeout long_time_re = Regexp.new("^a*ba*()\1$", timeout: Float::INFINITY) long_time_re =~ "a" * 50000 + "x" # never interrupted The original proposal is https://bugs.ruby-lang.org/issues/17837 Other Notable New Features No longer bundle 3rd party sources o We no longer bundle 3rd party sources like libyaml , libffi . libyaml source has been removed from psych. You may need to install libyaml-dev with Ubuntu/Debian platfrom. The package name is different each platforms. bundled libffi source is also removed from fiddle Language o Anonymous rest and keyword rest arguments can now be passed as arguments, instead of just used in method parameters. [ Feature #18351 ] def foo(*) bar(*) end def baz(**) quux(**) end o A proc that accepts a single positional argument and keywords will no longer autosplat. [ Bug #18633 ] proc{|a, **k| a}.call([1, 2]) # Ruby 3.1 and before # => 1 # Ruby 3.2 and after # => [1, 2] o Constant assignment evaluation order for constants set on explicit objects has been made consistent with single attribute assignment evaluation order. With this code: foo::BAR = baz foo is now called before baz . Similarly, for multiple assignments to constants, left-to-right evaluation order is used. With this code: foo1::BAR1, foo2::BAR2 = baz1, baz2 The following evaluation order is now used: 1. foo1 2. foo2 3. baz1 4. baz2 [ Bug #15928 ] o Find pattern is no longer experimental. [ Feature #18585 ] o Methods taking a rest parameter (like *args ) and wishing to delegate keyword arguments through foo(*args) must now be marked with ruby2_keywords (if not already the case). In other words, all methods wishing to delegate keyword arguments through *args must now be marked with ruby2_keywords , with no exception. This will make it easier to transition to other ways of delegation once a library can require Ruby 3+. Previously, the ruby2_keywords flag was kept if the receiving method took *args , but this was a bug and an inconsistency. A good technique to find the potentially-missing ruby2_keywords is to run the test suite, for where it fails find the last method which must receive keyword arguments, use puts nil, caller, nil there, and check each method/block on the call chain which must delegate keywords is correctly marked as ruby2_keywords . [ Bug #18625 ] [ Bug #16466 ] def target(**kw) end # Accidentally worked without ruby2_keywords in Ruby 2.7-3.1, ruby2_keywords # needed in 3.2+. Just like (*args, **kwargs) or (...) would be needed on # both #foo and #bar when migrating away from ruby2_keywords. ruby2_keywords def bar(*args) target(*args) end ruby2_keywords def foo(*args) bar(*args) end foo(k: 1) Performance improvements YJIT o Support arm64 / aarch64 on UNIX platforms. o Building YJIT requires Rust 1.58.1+. [ Feature #18481 ] Other notable changes since 3.1 o Hash Hash#shift now always returns nil if the hash is empty, instead of returning the default value or calling the default proc. [ Bug #16908 ] o MatchData MatchData#byteoffset has been added. [ Feature #13110 ] o Module Module.used_refinements has been added. [ Feature #14332 ] Module#refinements has been added. [ Feature #12737 ] Module#const_added has been added. [ Feature #17881 ] o Proc Proc#dup returns an instance of subclass. [ Bug #17545 ] Proc#parameters now accepts lambda keyword. [ Feature #15357 ] o Refinement Refinement#refined_class has been added. [ Feature #12737 ] o RubyVM::AbstractSyntaxTree Add error_tolerant option for parse , parse_file and of . [[Feature # 19013]] o Set Set is now available as a builtin class without the need for require "set" . [ Feature #16989 ] It is currently autoloaded via the Set constant or a call to Enumerable#to_set . o String String#byteindex and String#byterindex have been added. [ Feature # 13110 ] Update Unicode to Version 14.0.0 and Emoji Version 14.0. [ Feature # 18037 ] (also applies to Regexp) String#bytesplice has been added. [ Feature #18598 ] o Struct A Struct class can also be initialized with keyword arguments without keyword_init: true on Struct.new [ Feature #16806 ] Compatibility issues Note: Excluding feature bug fixes. Removed constants The following deprecated constants are removed. o Fixnum and Bignum [ Feature #12005 ] o Random::DEFAULT [ Feature #17351 ] o Struct::Group o Struct::Passwd Removed methods The following deprecated methods are removed. o Dir.exists [ Feature #17391 ] o File.exists [ Feature #17391 ] o Kernel#=~ [ Feature #15231 ] o Kernel#taint , Kernel#untaint , Kernel#tainted [ Feature #16131 ] o Kernel#trust , Kernel#untrust , Kernel#untrusted [ Feature #16131 ] Stdlib compatibility issues o Psych no longer bundles libyaml sources. Users need to install the libyaml library themselves via the package system. [ Feature #18571 ] C API updates Updated C APIs The following APIs are updated. o PRNG update rb_random_interface_t updated and versioned. Extension libraries which use this interface and built for older versions. Also init_int32 function needs to be defined. Removed C APIs The following deprecated APIs are removed. o rb_cData variable. o taintedness and trustedness functions. [ Feature #16131 ] Standard libraries updates o SyntaxSuggest The feature of syntax_suggest formerly dead_end is integrated in Ruby. [ Feature #18159 ] o ErrorHighlight Now it points an argument(s) of TypeError and ArgumentError test.rb:2:in `+': nil can't be coerced into Integer (TypeError) sum = ary[0] + ary[1] ^^^^^^ o The following default gems are updated. RubyGems 3.4.0.dev bigdecimal 3.1.2 bundler 2.4.0.dev cgi 0.3.2 date 3.2.3 error_highlight 0.4.0 etc 1.4.0 io-console 0.5.11 io-nonblock 0.1.1 io-wait 0.3.0.pre ipaddr 1.2.4 json 2.6.2 logger 1.5.1 net-http 0.2.2 net-protocol 0.1.3 ostruct 0.5.5 psych 5.0.0.dev reline 0.3.1 securerandom 0.2.0 set 1.0.3 stringio 3.0.3 syntax_suggest 0.0.1 timeout 0.3.0 o The following bundled gems are updated. minitest 5.16.3 net-imap 0.2.3 rbs 2.6.0 typeprof 0.21.3 debug 1.6.2 o The following default gems are now bundled gems. See NEWS or commit logs for more details. With those changes, 2719 files changed, 191269 insertions(+), 120315 deletions (-) since Ruby 3.1.0! Download o https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.0-preview3.tar.gz SIZE: 20086542 SHA1: dafca8116d36ceaa32482ab38359768de8c3ae5e SHA256: c041d1488e62730d3a10dbe7cf7a3b3e4268dc867ec20ec991e7d16146640487 SHA512: 860634d95e4b9c48f18d38146dfbdc3c389666d45454248a4ccdfc3a5d3cd0c71c73533aabf359558117de9add1472af228d8eaec989c9336b1a3a6f03f1ae88 o https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.0-preview3.tar.xz SIZE: 14799804 SHA1: c94e2add05502cb5c39afffc995b7c8f000f7df0 SHA256: d3f5619de544240d92a5d03aa289e71bd1103379622c523a0e80ed029a74b3bb SHA512: c1864e2e07c3711eaa17d0f85dfbcc6e0682b077782bb1c155315af45139ae66dc4567c73682d326975b0f472111eb0a70f949811cb54bed0b3a816ed6ac34df o https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.0-preview3.zip SIZE: 24426893 SHA1: 346c051c4be7ab8d0b551fd2ff8169785697db62 SHA256: cf49aa70e7ebd8abebffd5e49cd3bd92e5b9f3782d587cc7ed88c98dd5f17069 SHA512: 4f22b5ea91be17ef5f68cf0acb1e3a226dcc549ad71cc9b40e623220087c4065ca9bea942710f668e5c94ca0323da8d2ccd565f95a9085c1a0e38e9c0543b22f What is Ruby Ruby was first developed by Matz (Yukihiro Matsumoto) in 1993, and is now developed as Open Source. It runs on multiple platforms and is used all over the world especially for web development. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3GroMkNZI30y1K9AQgaHRAAsM90GsTZ023Pbx4bmU+7nYuPxp6cFTma IYVB1FWVJrG7f37u0uClKX0MjJkFCOlJ6M4gVDD3ZSSSFBXbewGDTd3Dq++qlgpQ QsT1lKMKG8norqLSQsJabFX4PhDHpCxBfwiNUoQHt2UToZvvLXna2Zq2ADuPqPw9 QyH/3NOZLz9W2gHUmxbTHEGeSUC4yE3wALX4/F4+Sdz7ojcpHPsZJGsdL5Rxr7KE 9uMITxQCpMk69O+NfjxC/fuHgotf0LMQ/nUbie2peAbcHWX/2ETSKrJ3ab3QxSSF KQTYhLGYyZgfH+NLne+V5hwlnLk3GH3zfpF/EjGBNpOtZph2Wegb/4aZTc1GQkeo R5elENdAkgrOTtsiTohsUDEWCETfgp4mHRbUAm4bC+pNvsfJXBGC0NJhlyhgthzT +gDAUjGl1ZokOEeYv+V/sbpgete9qjR6BQoVL5lasHXt3ExI9syEpmgqpGzX7oXb xk1rF3+zj/5soCFAxNgM8jDAsLXTIORzG23CbOktWn+QaDYNh18u5Ofmu1kRcdA0 hexARi8YbhhvYH0lTtCwuV0aUf0f7MHI+e3seX5l1FZGsmqD5UqZtRxuD+idteRJ tqIZCEH16aPMCgDsDIn7cbvPfZFPHv3AB3m2Nz5Pi9H06x1mvE4wEWViHt7mp/GC sHMKquZIArM= =+yhV -----END PGP SIGNATURE-----