Security announcement (#1761)

* Security announcement

* Ruby 2.2.10 announcement

* Ruby 2.3.7 announcement

* _data (2.5.1, 2.4.4, 2.3.7 and 2.2.10)

Author: unak

_data/branches.yml

@@ -26,7 +26,7 @@
 - name: 2.3
   status: normal maintenance
   date: 2015-12-25
-  eol_date:
+  eol_date: scheduled for 2019-03-31
 
 - name: 2.2
   status: security maintenance

_data/downloads.yml

@@ -8,14 +8,14 @@ preview:
 
 stable:
 
-  - 2.5.0
-  - 2.4.3
-  - 2.3.6
+  - 2.5.1
+  - 2.4.4
+  - 2.3.7
 
 # optional
 security_maintenance:
 
-  - 2.2.9
+  - 2.2.10
 
 # optional
 eol:

_data/releases.yml

@@ -37,6 +37,20 @@
 
 # 2.5 series
 
+- version: 2.5.1
+  date: 2018-03-28
+  post: /en/news/2018/03/28/ruby-2-5-1-released/
+  url:
+    gz:  https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.tar.gz
+    zip: https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.zip
+    bz2: https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.tar.bz2
+    xz:  https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.tar.xz
+  sha256:
+    gz:  dac81822325b79c3ba9532b048c2123357d3310b2b40024202f360251d9829b1
+    zip: 5d8e490896c8353aa574be56ca9aa52c250390e76e36cd23df450c0434ada4d4
+    bz2: 0f5d20f012baca865381a055e73f22db814615fee3c68083182cb78a4b3b30cb
+    xz:  886ac5eed41e3b5fc699be837b0087a6a5a3d10f464087560d2d21b3e71b754d
+
 - version: 2.5.0
   date: 2017-12-25
   post: /en/news/2017/12/25/ruby-2-5-0-released/
@@ -81,6 +95,20 @@
 
 # 2.4 series
 
+- version: 2.4.4
+  date: 2018-03-28
+  post: /en/news/2018/03/28/ruby-2-4-4-released/
+  url:
+    bz2: https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.4.tar.bz2
+    gz:  https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.4.tar.gz
+    xz:  https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.4.tar.xz
+    zip: https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.4.zip
+  sha256:
+    bz2: 45a8de577471b90dc4838c5ef26aeb253a56002896189055a44dc680644243f1
+    gz:  254f1c1a79e4cc814d1e7320bc5bdd995dc57e08727d30a767664619a9c8ae5a
+    xz:  1d0034071d675193ca769f64c91827e5f54cb3a7962316a41d5217c7bc6949f0
+    zip: d0ca0561be0045f2e094f2ba94f1585e66e9c1e91fe6de3f3035f4d67dce7650
+
 - version: 2.4.3
   date: 2017-12-14
   post: /en/news/2017/12/14/ruby-2-4-3-released/
@@ -130,6 +158,20 @@
 
 # 2.3 series
 
+- version: 2.3.7
+  date: 2018-03-28
+  post: /en/news/2018/03/28/ruby-2-3-7-released/
+  url:
+    bz2: https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.7.tar.bz2
+    gz:  https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.7.tar.gz
+    xz:  https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.7.tar.xz
+    zip: https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.7.zip
+  sha256:
+    bz2: 18b12fafaf37d5f6c7139c1b445355aec76baa625a40300598a6c8597fc04d8e
+    gz:  35cd349cddf78e4a0640d28ec8c7e88a2ae0db51ebd8926cd232bb70db2c7d7f
+    xz:  c61f8f2b9d3ffff5567e186421fa191f0d5e7c2b189b426bb84498825d548edb
+    zip: ffa42eeff928624a05dc7ad39426c855c6e9a757417f17b6fe9e54664ec91012
+
 - version: 2.3.6
   date: 2017-12-14
   post: /en/news/2017/12/14/ruby-2-3-6-released/
@@ -182,6 +224,20 @@
 
 # 2.2 series
 
+- version: 2.2.10
+  date: 2018-03-28
+  post: /en/news/2018/03/28/ruby-2-2-10-released/
+  url:
+    bz2: https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.tar.bz2
+    gz:  https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.tar.gz
+    xz:  https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.tar.xz
+    zip: https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.zip
+  sha256:
+    bz2: a54204d2728283c9eff0cf81d654f245fa5b3447d0824f1a6bc3b2c5c827381e
+    gz:  cd51019eb9d9c786d6cb178c37f6812d8a41d6914a1edaf0050c051c75d7c358
+    xz:  bf77bcb7e6666ccae8d0882ea12b05f382f963f0a9a5285a328760c06a9ab650
+    zip: 6933eb989afb1b916c438d8eeecff1cfb0a6569c07e7190beca56b10b822207a
+
 - version: 2.2.9
   date: 2017-12-14
   post: /en/news/2017/12/14/ruby-2-2-9-released/

en/news/_posts/2018-03-28-buffer-under-read-unpack-cve-2018-8778.md

@@ -0,0 +1,36 @@
+---
+layout: news_post
+title: "CVE-2018-8778: Buffer under-read in String#unpack"
+author: "usa"
+date: 2018-03-28 14:00:00 +0000
+tags: security
+lang: en
+---
+
+There is a buffer under-read vulnerability in `String#unpack` method.
+This vulnerability has been assigned the CVE identifier [CVE-2018-8778](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778).
+
+## Details
+
+`String#unpack` receives format specifiers as its parameter, and can be specified the position of parsing the data by the specifier `@`.
+If a big number is passed with `@`, the number is treated as the negative value, and out-of-buffer read is occurred.
+So, if a script accepts an external input as the argument of `String#unpack`, the attacker can read data on heaps.
+
+All users running an affected release should upgrade immediately.
+
+## Affected Versions
+
+* Ruby 2.2 series: 2.2.9 and earlier
+* Ruby 2.3 series: 2.3.6 and earlier
+* Ruby 2.4 series: 2.4.3 and earlier
+* Ruby 2.5 series: 2.5.0 and earlier
+* Ruby 2.6 series: 2.6.0-preview1
+* prior to trunk revision r62992
+
+## Credit
+
+Thanks to [aerodudrizzt](https://hackerone.com/aerodudrizzt) for reporting the issue.
+
+## History
+
+* Originally published at 2018-03-28 14:00:00 (UTC)

en/news/_posts/2018-03-28-http-response-splitting-in-webrick-cve-2017-17742.md

@@ -0,0 +1,34 @@
+---
+layout: news_post
+title: "CVE-2017-17742: HTTP response splitting in WEBrick"
+author: "usa"
+date: 2018-03-28 14:00:00 +0000
+tags: security
+lang: en
+---
+
+There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby.
+This vulnerability has been assigned the CVE identifier [CVE-2017-17742](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742).
+
+## Details
+
+If a script accepts an external input and outputs it without modification as a part of HTTP responses, an attacker can use newline characters to deceive the clients that the HTTP response header is stopped at there, and can inject fake HTTP responses after the newline characters to show malicious contents to the clients. 
+
+All users running an affected release should upgrade immediately.
+
+## Affected Versions
+
+* Ruby 2.2 series: 2.2.9 and earlier
+* Ruby 2.3 series: 2.3.6 and earlier
+* Ruby 2.4 series: 2.4.3 and earlier
+* Ruby 2.5 series: 2.5.0 and earlier
+* Ruby 2.6 series: 2.6.0-preview1
+* prior to trunk revision r62968
+
+## Credit
+
+Thanks to Aaron Patterson <tenderlove@ruby-lang.org> for reporting the issue.
+
+## History
+
+* Originally published at 2018-03-28 14:00:00 (UTC)

en/news/_posts/2018-03-28-large-request-dos-in-webrick-cve-2018-8777.md

@@ -0,0 +1,34 @@
+---
+layout: news_post
+title: "CVE-2018-8777: DoS by large request in WEBrick"
+author: "usa"
+date: 2018-03-28 14:00:00 +0000
+tags: security
+lang: en
+---
+
+There is a out-of-memory DoS vulnerability with a large request in WEBrick bundled with Ruby. 
+This vulnerability has been assigned the CVE identifier [CVE-2018-8777](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777).
+
+## Details
+
+If an attacker sends a large request which contains huge HTTP headers, WEBrick try to process it on memory, so the request causes the out-of-memory DoS attack.
+
+All users running an affected release should upgrade immediately.
+
+## Affected Versions
+
+* Ruby 2.2 series: 2.2.9 and earlier
+* Ruby 2.3 series: 2.3.6 and earlier
+* Ruby 2.4 series: 2.4.3 and earlier
+* Ruby 2.5 series: 2.5.0 and earlier
+* Ruby 2.6 series: 2.6.0-preview1
+* prior to trunk revision r62965
+
+## Credit
+
+Thanks to Eric Wong <e@80x24.org> for reporting the issue.
+
+## History
+
+* Originally published at 2018-03-28 14:00:00 (UTC)

en/news/_posts/2018-03-28-poisoned-nul-byte-dir-cve-2018-8780.md

@@ -0,0 +1,36 @@
+---
+layout: news_post
+title: "CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir"
+author: "usa"
+date: 2018-03-28 14:00:00 +0000
+tags: security
+lang: en
+---
+
+There is an unintentional directory traversal in some methods in `Dir`.
+This vulnerability has been assigned the CVE identifier [CVE-2018-8780](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780).
+
+## Details
+
+`Dir.open`, `Dir.new`, `Dir.entries` and `Dir.empty?` accept the path of the target directory as their parameter.
+If the parameter contains NUL (`\0`) bytes, these methods recognize that the path is completed before the NUL bytes.
+So, if a script accepts an external input as the argument of these methods, the attacker can make the unintentional directory traversal.
+
+All users running an affected release should upgrade immediately.
+
+## Affected Versions
+
+* Ruby 2.2 series: 2.2.9 and earlier
+* Ruby 2.3 series: 2.3.6 and earlier
+* Ruby 2.4 series: 2.4.3 and earlier
+* Ruby 2.5 series: 2.5.0 and earlier
+* Ruby 2.6 series: 2.6.0-preview1
+* prior to trunk revision r62989
+
+## Credit
+
+Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for reporting the issue.
+
+## History
+
+* Originally published at 2018-03-28 14:00:00 (UTC)

en/news/_posts/2018-03-28-poisoned-nul-byte-unixsocket-cve-2018-8779.md

@@ -0,0 +1,39 @@
+---
+layout: news_post
+title: "CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket"
+author: "usa"
+date: 2018-03-28 14:00:00 +0000
+tags: security
+lang: en
+---
+
+There is a unintentional socket creation vulnerability in `UNIXServer.open` method of socket library bundled with Ruby.
+And there is also a unintentional socket access vulnerability in `UNIXSocket.open` method.
+This vulnerability has been assigned the CVE identifier [CVE-2018-8779](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779).
+
+## Details
+
+`UNIXServer.open` accepts the path of the socket to be created at the first parameter.
+If the path contains NUL (`\0`) bytes, this method recognize that the path is completed before the NUL bytes.
+So, if a script accepts an external input as the argument of this method, the attacker can make the socket file in the unintentional path.
+And, `UNIXSocket.open` also accepts the path of the socket to be created at the first parameter without checking NUL bytes like `UNIXServer.open`.
+So, if a script accepts an external input as the argument of this method, the attacker can accepts the socket file in the unintentional path.
+
+All users running an affected release should upgrade immediately.
+
+## Affected Versions
+
+* Ruby 2.2 series: 2.2.9 and earlier
+* Ruby 2.3 series: 2.3.6 and earlier
+* Ruby 2.4 series: 2.4.3 and earlier
+* Ruby 2.5 series: 2.5.0 and earlier
+* Ruby 2.6 series: 2.6.0-preview1
+* prior to trunk revision r62991
+
+## Credit
+
+Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for reporting the issue.
+
+## History
+
+* Originally published at 2018-03-28 14:00:00 (UTC)

en/news/_posts/2018-03-28-ruby-2-2-10-released.md

@@ -0,0 +1,60 @@
+---
+layout: news_post
+title: "Ruby 2.2.10 Released"
+author: "usa"
+translator:
+date: 2018-03-28 17:00:00 +0000
+lang: en
+---
+
+Ruby 2.2.10 has been released.
+This release includes several security fixes.
+Please check the topics below for details.
+
+* [CVE-2017-17742: HTTP response splitting in WEBrick](/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/)
+* [CVE-2018-8777: DoS by large request in WEBrick](/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/)
+* [CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir](/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/)
+* [CVE-2018-8778: Buffer under-read in String#unpack](/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/)
+* [CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket](/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/)
+* [CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir](/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/)
+* [Multiple vulnerabilities in RubyGems](/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/)
+
+Ruby 2.2 is under the state of the security maintenance phase, until the end of the March of 2018.
+After the date, maintenance of Ruby 2.2 will be ended.
+So, this release is expected to be the last release of Ruby 2.2.
+We will never make a new release of Ruby 2.2 unless Ruby 2.2.10 has a serious regression bug.
+We recommend you migrating to newer versions of Ruby, such as 2.5.
+
+## Download
+
+* [https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.tar.bz2](https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.tar.bz2)
+
+      SIZE:   13365461 bytes
+      SHA1:   72ee1dcfd96199d2c3092b77db7a7f439c0abd08
+      SHA256: a54204d2728283c9eff0cf81d654f245fa5b3447d0824f1a6bc3b2c5c827381e
+      SHA512: f8ec96c2a5f4ecf22052ee0b1029989ded52d7bf5d41be24fef67e732e76f72119302240bca08f0547510a9cd29e941a32e263cad9c8a2bf80023d6bc97b2373
+
+* [https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.tar.gz](https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.tar.gz)
+
+      SIZE:   16694179 bytes
+      SHA1:   b0207c861f3fa41cbe4909ecb89bd2fcac81fe7c
+      SHA256: cd51019eb9d9c786d6cb178c37f6812d8a41d6914a1edaf0050c051c75d7c358
+      SHA512: 051124922240d2e20e74903b9c629fa897279072d2aa9b0a4e3a02331b843fa9c97c16e7073d6faec1b9f2024c3a7e36346014c30eee256f0715c5de226b5db8
+
+* [https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.tar.xz](https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.tar.xz)
+
+      SIZE:   10508612 bytes
+      SHA1:   c46737f81df819c3d7423df5c644431b3fcb8fee
+      SHA256: bf77bcb7e6666ccae8d0882ea12b05f382f963f0a9a5285a328760c06a9ab650
+      SHA512: 1f35458f2b1c334e64aecf42cd1df3b223fef119b6ad23394285d9f2e72da26b3ba5418950694c4a8c0b4afc43672f78459f2f7281a595cff0967eb239662ae4
+
+* [https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.zip](https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.10.zip)
+
+      SIZE:   18540424 bytes
+      SHA1:   0f4b9c6695d000cb456fe8b89f8bf6d42fb95069
+      SHA256: 6933eb989afb1b916c438d8eeecff1cfb0a6569c07e7190beca56b10b822207a
+      SHA512: dfaa9a76170b0eed9cb2bf41178f2193dd3428492413b1616aaabd67ec35b9b7705b422b0fdfe38b18a1800bbce3ba161b53d229d307ea7f5c0269ef3d031980
+
+## Release Comment
+
+Thanks to everyone who reported vulnerabilities, fixed the vulnerabilities and helped with this release.