Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0024 New Ruby bulletin: Ruby 2.7.0 Released 2 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ruby Publisher: ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade Original Bulletin: https://www.ruby-lang.org/en/news/2019/12/25/ruby-2-7-0-released/ - --------------------------BEGIN INCLUDED TEXT-------------------- Ruby 2.7.0 Released Posted by naruse on 25 Dec 2019 We are pleased to announce the release of Ruby 2.7.0. It introduces a number of new features and performance improvements, most notably: o Pattern Matching o REPL improvement o Compaction GC o Separation of positional and keyword arguments Pattern Matching [Experimental] Pattern matching, a widely used feature in functional programming languages, is introduced as an experimental feature. [Feature #14912] It can traverse a given object and assign its value if it matches a pattern. require "json" json = <<END { "name": "Alice", "age": 30, "children": [{ "name": "Bob", "age": 2 }] } END case JSON.parse(json, symbolize_names: true) in {name: "Alice", children: [{name: "Bob", age: age}]} p age #=> 2 end For more details, please see Pattern matching - New feature in Ruby 2.7 . REPL improvement irb , the bundled interactive environment (REPL; Read-Eval-Print-Loop), now supports multi-line editing. It is powered by reline , a readline -compatible library implemented in pure Ruby. It also provides rdoc integration. In irb you can display the reference for a given class, module, or method. [Feature # 14683] , [Feature #14787] , [Feature #14918] Besides, source lines shown by Binding#irb and inspect results for core-class objects are now colorized. Compaction GC This release introduces Compaction GC which can defragment a fragmented memory space. Some multi-threaded Ruby programs may cause memory fragmentation, leading to high memory usage and degraded speed. The GC.compact method is introduced for compacting the heap. This function compacts live objects in the heap so that fewer pages may be used, and the heap may be more CoW (copy-on-write) friendly. [Feature #15626] Separation of positional and keyword arguments Automatic conversion of keyword arguments and positional arguments is deprecated, and conversion will be removed in Ruby 3. [Feature #14183] See the article Separation of positional and keyword arguments in Ruby 3.0 in detail. Only the changes are as follows. o When a method call passes a Hash at the last argument, and when it passes no keywords, and when the called method accepts keywords, a warning is emitted. To continue treating the hash as keywords, add a double splat operator to avoid the warning and ensure correct behavior in Ruby 3. def foo(key: 42); end; foo({key: 42}) # warned def foo(**kw); end; foo({key: 42}) # warned def foo(key: 42); end; foo(**{key: 42}) # OK def foo(**kw); end; foo(**{key: 42}) # OK o When a method call passes keywords to a method that accepts keywords, but it does not pass enough required positional arguments, the keywords are treated as a final required positional argument, and a warning is emitted. Pass the argument as a hash instead of keywords to avoid the warning and ensure correct behavior in Ruby 3. def foo(h, **kw); end; foo(key: 42) # warned def foo(h, key: 42); end; foo(key: 42) # warned def foo(h, **kw); end; foo({key: 42}) # OK def foo(h, key: 42); end; foo({key: 42}) # OK o When a method accepts specific keywords but not a keyword splat, and a hash or keywords splat is passed to the method that includes both Symbol and non-Symbol keys, the hash will continue to be split, and a warning will be emitted. You will need to update the calling code to pass separate hashes to ensure correct behavior in Ruby 3. def foo(h={}, key: 42); end; foo("key" => 43, key: 42) # warned def foo(h={}, key: 42); end; foo({"key" => 43, key: 42}) # warned def foo(h={}, key: 42); end; foo({"key" => 43}, key: 42) # OK o If a method does not accept keywords, and is called with keywords, the keywords are still treated as a positional hash, with no warning. This behavior will continue to work in Ruby 3. def foo(opt={}); end; foo( key: 42 ) # OK o Non-symbols are allowed as keyword argument keys if the method accepts arbitrary keywords. [Feature #14183] def foo(**kw); p kw; end; foo("str" => 1) #=> {"str"=>1} o **nil is allowed in method definitions to explicitly mark that the method accepts no keywords. Calling such a method with keywords will result in an ArgumentError. [Feature #14183] def foo(h, **nil); end; foo(key: 1) # ArgumentError def foo(h, **nil); end; foo(**{key: 1}) # ArgumentError def foo(h, **nil); end; foo("str" => 1) # ArgumentError def foo(h, **nil); end; foo({key: 1}) # OK def foo(h, **nil); end; foo({"str" => 1}) # OK o Passing an empty keyword splat to a method that does not accept keywords no longer passes an empty hash, unless the empty hash is necessary for a required parameter, in which case a warning will be emitted. Remove the double splat to continue passing a positional hash. [Feature #14183] h = {}; def foo(*a) a end; foo(**h) # [] h = {}; def foo(a) a end; foo(**h) # {} and warning h = {}; def foo(*a) a end; foo(h) # [{}] h = {}; def foo(a) a end; foo(h) # {} If you want to disable the deprecation warnings, please use a command-line argument -W:no-deprecated or add Warning[:deprecated] = false to your code. Other Notable New Features o Numbered parameters as default block parameters are introduced. [Feature # 4475] o A beginless range is experimentally introduced. It might not be as useful as an endless range, but would be good for DSL purposes. [Feature #14799] ary[..3] # identical to ary[0..3] rel.where(sales: ..100) o Enumerable#tally is added. It counts the occurrence of each element. ["a", "b", "c", "b"].tally #=> {"a"=>1, "b"=>2, "c"=>1} o Calling a private method with a literal self as the receiver is now allowed. [Feature #11297] , [Feature #16123] def foo end private :foo self.foo o Enumerator::Lazy#eager is added. It generates a non-lazy enumerator from a lazy enumerator. [Feature #15901] a = %w(foo bar baz) e = a.lazy.map {|x| x.upcase }.map {|x| x + "!" }.eager p e.class #=> Enumerator p e.map {|x| x + "" } #=> ["FOO!", "BAR!", "BAZ!"] Performance improvements o JIT [Experimental] JIT-ed code is recompiled to less-optimized code when an optimization assumption is invalidated. Method inlining is performed when a method is considered as pure. This optimization is still experimental and many methods are NOT considered as pure yet. The default value of --jit-min-calls is changed from 5 to 10,000. The default value of --jit-max-cache is changed from 1,000 to 100. o Fiber s cache strategy is changed and fiber creation is speeded up. GH-2224 o Module#name , true.to_s , false.to_s , and nil.to_s now always return a frozen String. The returned String is always the same for a given object. [Experimental] [Feature #16150] o The performance of CGI.escapeHTML is improved. GH-2226 o The performance of Monitor and MonitorMixin is improved. [Feature #16255] o Per-call-site method cache, which has been there since around 1.9, was improved: cache hit rate raised from 89% to 94%. See GH-2583 o RubyVM::InstructionSequence#to_binary method generates compiled binary. The binary size is reduced. [Feature #16163] Other notable changes since 2.6 o Some standard libraries are updated. Bundler 2.1.2 ( Release note ) RubyGems 3.1.2 ( Release note for 3.1.0 ) ( Release note for 3.1.1 ) ( Release note for 3.1.2 ) Racc 1.4.15 CSV 3.1.2 ( NEWS ) REXML 3.2.3 ( NEWS ) RSS 0.2.8 ( NEWS ) StringScanner 1.0.3 Some other libraries that have no original version are also updated. o The following libraries are no longer bundled gems. Install corresponding gems to use these features. CMath (cmath gem) Scanf (scanf gem) Shell (shell gem) Synchronizer (sync gem) ThreadsWait (thwait gem) E2MM (e2mmap gem) o profile.rb was removed from standard library. o Promote stdlib to default gems The following default gems were published on rubygems.org benchmark cgi delegate getoptlong net-pop net-smtp open3 pstore singleton The following default gems were only promoted at ruby-core, but not yet published on rubygems.org. monitor observer timeout tracer uri yaml o Proc.new and proc with no block in a method called with a block is warned now. o lambda with no block in a method called with a block raises an exception. o Update Unicode version and Emoji version from 11.0.0 to 12.0.0. [Feature # 15321] o Update Unicode version to 12.1.0, adding support for U+32FF SQUARE ERA NAME REIWA. [Feature #15195] o Date.jisx0301 , Date#jisx0301 , and Date.parse support the new Japanese era. [Feature #15742] o Require compilers to support C99. [Misc #15347] Details of our dialect: https://bugs.ruby-lang.org/projects/ruby-trunk/ wiki/C99 See NEWS or commit logs for more details. With those changes, 4190 files changed, 227498 insertions(+), 99979 deletions (-) since Ruby 2.6.0! Merry Christmas, Happy Holidays, and enjoy programming with Ruby 2.7! Download o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.0.tar.bz2 SIZE: 14703381 SHA1: b54f4633174dbc55db77d9fd6d0ef90cc35503af SHA256: 7aa247a19622a803bdd29fdb28108de9798abe841254fe8ea82c31d125c6ab26 SHA512: 8b8dd0ceba65bdde53b7c59e6a84bc6bf634c676bfeb2ff0b3604c362c663b465397f31ff6c936441b3daabb78fb7a619be5569480c95f113dd0453488761ce7 o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.0.tar.gz SIZE: 16799684 SHA1: 6f4e99b5556010cb27e236873cb8c09eb8317cd5 SHA256: 8c99aa93b5e2f1bc8437d1bbbefd27b13e7694025331f77245d0c068ef1f8cbe SHA512: 973fc29b7c19e96c5299817d00fbdd6176319468abfca61c12b5e177b0fb0d31174a5a5525985122a7a356091a709f41b332454094940362322d1f42b77c9927 o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.0.tar.xz SIZE: 11990900 SHA1: 943c767cec037529b8e2d3cc14fc880cad5bad8d SHA256: 27d350a52a02b53034ca0794efe518667d558f152656c2baaf08f3d0c8b02343 SHA512: dd5690c631bf3a2b76cdc06902bcd76a89713a045e136debab9b8a81ff8c433bbb254aa09e4014ca1cf85a69ff4bcb13de11da5e40c224e7268be43ef2194af7 o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.0.zip SIZE: 20571744 SHA1: fbebdd3a2a641f9a81f7d8db5abd926acea27e80 SHA256: 8bf2050fa1fc76882f878fd526e4184dc54bd402e385efa80ef5fd3b810522e0 SHA512: 5060f2dd3bfd271ef255b17589d6d014260d7ec2d97b48112b717ee01c62fe125c3fe04f813e02d607cea3f0a2a812b14eb3a28d06c2551354dfeff5f4c3dd6b What is Ruby Ruby was first developed by Matz (Yukihiro Matsumoto) in 1993, and is now developed as Open Source. It runs on multiple platforms and is used all over the world especially for web development. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXg1lgWaOgq3Tt24GAQgoxg/+L7KEAJrCWGstgCJyhNv0dqipWONYAAC3 Q3D4ITLY+y057eno5Qp8BfRekOCEOhBkekdb5EBTb0irZUrbsPPkS1BGvqUayUx9 K15St24PN9CN19qtQ8j6c4w2dawBr2SEMygfDH83/PsmR9c50sKOwpXESIgg+qJB 0DysVZ7eqUmZoRaD0OlXQWgMz793+3/wy0ZAZ9UY+1NnTiuAIiRzebj3Ma9KtSGQ G4GJTs4iHNAgNo5rU9BrePwxbFCL16iep+/VyQFZyrpJe6m7QSZHcIqcw7tMsUIs hlurDmBUye01ilFN5dXXyCFuC9bWVbXPN1XZLsrhjKNnZkObIZtkMRKi3KQFyq9h zOxT3TZHfVO7wUCdKOpeot9D+RJ12MWCEUuhQ5lLxy7AiUFGj+Eb1ATsVHm91MMI OxT5AszeZfvYcQjpvaxcX2inQhtka5JDxt54cTqVJIk/uMS+AJDK+Ru2Be5juyaZ H5nJFXyBwcX7eXBliLXaBBy85MMRv+brL74f1Tvj461o4KeivWxiA9tMrhVvXBdz WaihcgrQqs4xWOjDBlC8nvnFadUBCuKvhctO2pQZxohX94wlU6rsPvK1yXBpgdxt V/+L8G8gwwHAYuBnvsvFJz/dETqMDKnREapSVbQvslSMqb3G/ibpDk6ARn9frVec C7dbsuIMSLs= =I7xn -----END PGP SIGNATURE-----