Skip to content

v0.4.25

Choose a tag to compare

@nevans nevans released this 02 Jul 22:26
v0.4.25
43342af

Important

The 0.4.x release branch will only receive security fixes, and will be unsupported when ruby 3.3 is EOL.
Please upgrade to a newer version.

What's Changed

Special thanks to @hsbt for backporting most of these PRs, in #707!

🔒 Security

This release fixes several more security vulnerabilities which are related to the fixes in v0.4.24. Please see the linked security advisories for more information.

  • (moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8)
    This vulnerability depends how the server interprets non-synchronizing literals.
    The connection is not vulnerable if the server supports non-synchronizing literals.
    • 🥅 Validate non-synchronizing literals support (backports #701)
  • (moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
    • 🥅 Validate ID values contain only valid bytes (backports #698)
    • 🥅 Validate #enable arguments are all atoms (backports #699)
      NOTE: #enable should never be called with untrusted input.
  • (low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66)
    This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
    • Reported by @fg0x0
    • 🐛 Prevent trailing {0} in RawData validation (backports #700)

Fixed

  • Remove dead code resulting from cherry-pick of 6f82e28. by @jackorp in #706
  • 🏷️ Allow 64-bit Integer arguments (backports #675)
  • 🥅 Validate that Atom and Flag are not empty (backports #684)
  • 🧵 Fix deadlock in #disconnect (backports #686)

Documentation

  • ⚠️ Boost visibility of raw data argument documentation warnings (backports #677)

Other Changes

  • 🧵 Close socket in #disconnect before waiting for lock & thread join (backports #493)
  • 🥅 Ensure send_number_data input is an Integer (backports #676)
  • ♻️ Improve RawData.new, Add RawData.split (backports #679)
  • 🥅 Validate response literal byte size format (backports #681)

Miscellaneous

  • ✅ Fix flaky tests with FakeServer#Connection#close mutex (backports half of #520
  • ✅ Improvements to tests' FakeServer (backports #678)
  • Backport the security fixes to v0.4 for a 0.4.25 release by @hsbt in #707

New Contributors

Full Changelog: v0.4.24...v0.4.25