Upgrade Ruby to 2.7.8

[depfu[bot]]

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

Release Notes

2.7.8

2.7.7

Posted by usa on 24 Nov 2022

Ruby 2.7.7 has been released.

This release includes a security fix. Please check the topics below for details.

• CVE-2021-33621: HTTP response splitting in CGI

This release also includes some build problem fixes. They are not considered to affect compatibility with previous versions. See the commit logs for further details.

2.7.6

Posted by usa and mame on 12 Apr 2022

Ruby 2.7.6 has been released.

This release includes a security fix. Please check the topics below for details.

• CVE-2022-28739: Buffer overrun in String-to-Float conversion

This release also includes some bug fixes. See the commit logs for further details.

After thies release, we end the normal maintenance phase of Ruby 2.7, and Ruby 2.7 enters the security maintenance phase. This means that we will no longer backport any bug fixes to Ruby 2.7 excpet security fixes. Ther term of the security maintenance pahse is scheduled for a year. Ruby 2.7 reaches EOL and its official support ends by the end of the security maintenance phase. Therefore, we recommend that you start to plan upgrade to Ruby 3.0 or 3.1.

2.7.5

Posted by usa on 24 Nov 2021

Ruby 2.7.5 has been released.

This release includes security fixes. Please check the topics below for details.

• CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
• CVE-2021-41816: Buffer Overrun in CGI.escape_html
• CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse

See the commit logs for details.

2.7.4

Posted by usa on 7 Jul 2021

Ruby 2.7.4 has been released.

This release includes security fixes. Please check the topics below for details.

• CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
• CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
• CVE-2021-31799: A command injection vulnerability in RDoc

See the commit logs for details.

2.7.3

Posted by nagachika on 5 Apr 2021

Ruby 2.7.3 has been released.

This release includes security fixes. Please check the topics below for details.

• CVE-2021-28965: XML round-trip vulnerability in REXML
• CVE-2021-28966: Path traversal in Tempfile on Windows

See the commit logs for details.

2.7.2

Posted by nagachika on 2 Oct 2020

Ruby 2.7.2 has been released.

This release contains intentional incompatibility. The deprecated warnings are off by default on 2.7.2 and later. You can turn on the deprecated warnings by specifing command line option -w or -W:deprecated. Please check the topics below for details.

• Feature #17000 2.7.2 turns off deprecation warnings by default
• Feature #16345 Don’t emit deprecation warnings by default.

This release contains the new version of webrick with a security fix described in the article.

• CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick

See the commit logs for other changes.

---

All Depfu comment commands

@​depfu refresh

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Pauses all engine updates and closes this PR