Skip to content

v1.0.7

Latest
Latest

Choose a tag to compare

View all tags
@rgrove rgrove released this 25 Jun 17:10
v1.0.7
This tag was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk
Verified
Learn about vigilant mode.
cfd5daa
This commit was signed with the committer’s verified signature.
rgrove Ryan Grove
SSH Key Fingerprint: thRC0SH42U0BGrkfOqydLps8tamqIti0xPgo3ydFNrk
Verified
Learn about vigilant mode.

Security

  • High: Fixed a denial of service vulnerability in which a large numeric exponent could consume disproportionate CPU and memory before the value was clamped. Exponents are now bounded before 10**exponent is computed. (GHSA-6wmf-3r64-vcwv)

  • Moderate: Fixed a scenario in which deeply nested simple blocks or functions could exhaust the Ruby stack and raise SystemStackError, or could result in excessive memory usage. Parser nesting is now limited to a configurable maximum depth via a new option (:maximum_depth, with a conservative default of 25). Constructs nested more deeply are discarded as an :error node with the value "maximum-depth-exceeded". (GHSA-6jxj-px6v-747w)

  • Moderate: Fixed a scenario in which a long run of adjacent comments could exhaust the Ruby stack and raise SystemStackError. Discarded comments are now skipped iteratively rather than recursively. (GHSA-wwpr-jff3-395c)

  • Moderate: Fixed a denial of service vulnerability in which inputs containing many non-ASCII characters could cause excessive CPU usage due to inefficient handling of multi-byte characters during tokenization. (GHSA-8vfg-2r28-hvhj)

Assets 2
Loading