From 7a4f196ee377a7027f9daeae32146f68c5365f3a Mon Sep 17 00:00:00 2001 From: GitHub Actions Bot Date: Wed, 20 May 2026 00:12:21 +0000 Subject: [PATCH 1/3] Create release for 4.0.5 --- _data/downloads.yml | 2 +- _data/releases.yml | 24 +++++++++++ .../_posts/2026-05-20-ruby-4-0-5-released.md | 42 +++++++++++++++++++ 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 en/news/_posts/2026-05-20-ruby-4-0-5-released.md diff --git a/_data/downloads.yml b/_data/downloads.yml index 0c156e797f..6ab158f4b8 100644 --- a/_data/downloads.yml +++ b/_data/downloads.yml @@ -7,7 +7,7 @@ preview: stable: - - 4.0.4 + - 4.0.5 - 3.4.9 - 3.3.11 - 3.2.11 diff --git a/_data/releases.yml b/_data/releases.yml index 81c17918b1..0a6d9359bf 100644 --- a/_data/releases.yml +++ b/_data/releases.yml @@ -21,6 +21,30 @@ # 4.0 series +- version: 4.0.5 + date: 2026-05-20 + post: /en/news/2026/05/20/ruby-4-0-5-released/ + url: + gz: https://cache.ruby-lang.org/pub/ruby/4.0/ruby-4.0.5.tar.gz + zip: https://cache.ruby-lang.org/pub/ruby/4.0/ruby-4.0.5.zip + xz: https://cache.ruby-lang.org/pub/ruby/4.0/ruby-4.0.5.tar.xz + size: + gz: 23818557 + zip: 29122529 + xz: 17893756 + sha1: + gz: efa77332e323c15a86e1a25a3ae53bd21972672c + zip: cda48124428ae33497f191bb676c8022615ab91e + xz: 58216f1858feed4e2dbd2719a0a7ae807563b428 + sha256: + gz: 7d6149079a63f8ae1d326c9fa65c6019ba2dc3155eae7b39159817911c88958e + zip: 605f8b22e12f5cfc3f4a48850a7fe7dc9b010002d2c994d7508f38c63d2c0ff8 + xz: 5dc5521ea54c726e6cc10b1b5a0f4004b27b482e61c04c99aed79315e30895e5 + sha512: + gz: ce50c8dda1479f5a84771df37cdb23f0183bba900494e7492bb90d4b0a3e60ff28b799f3c469977f5f7c1335a6c1f3400a9ca52cd4acfcbed08f016d352943f4 + zip: c4faaefa386bb33dc4cb3994d740b0c8b4756726351df6cc0850dbd2598f3ba51dcfb38bd61d91f63adf3612bb5f6dbd727446caf9af78f5df36e7d31ecf113a + xz: 379d78a6d1af0455df60da46551f43438ad3ee81f83787554fc34cb1c8febb1bd363e3dc1a057b34a69f96526efc308d3dccc4b87d368897c2d1ccf179096463 + - version: 4.0.4 date: 2026-05-11 post: /en/news/2026/05/11/ruby-4-0-4-released/ diff --git a/en/news/_posts/2026-05-20-ruby-4-0-5-released.md b/en/news/_posts/2026-05-20-ruby-4-0-5-released.md new file mode 100644 index 0000000000..e48d806700 --- /dev/null +++ b/en/news/_posts/2026-05-20-ruby-4-0-5-released.md @@ -0,0 +1,42 @@ +--- +layout: news_post +title: "Ruby 4.0.5 Released" +author: +translator: +date: 2026-05-20 00:12:20 +0000 +lang: en +--- + +Ruby 4.0.5 has been released. + +Please see the [GitHub releases](https://github.com/ruby/ruby/releases/tag/v4.0.5) for further details. + +## Download + +{% assign release = site.data.releases | where: "version", "4.0.5" | first %} + +* <{{ release.url.gz }}> + + SIZE: {{ release.size.gz }} + SHA1: {{ release.sha1.gz }} + SHA256: {{ release.sha256.gz }} + SHA512: {{ release.sha512.gz }} + +* <{{ release.url.xz }}> + + SIZE: {{ release.size.xz }} + SHA1: {{ release.sha1.xz }} + SHA256: {{ release.sha256.xz }} + SHA512: {{ release.sha512.xz }} + +* <{{ release.url.zip }}> + + SIZE: {{ release.size.zip }} + SHA1: {{ release.sha1.zip }} + SHA256: {{ release.sha256.zip }} + SHA512: {{ release.sha512.zip }} + +## Release Comment + +Many committers, developers, and users who provided bug reports helped us make this release. +Thanks for their contributions. From 37386ae5cbd2000c5262154f65097990570c2bb0 Mon Sep 17 00:00:00 2001 From: Takashi Kokubun Date: Tue, 19 May 2026 17:28:18 -0700 Subject: [PATCH 2/3] Add cve-2026-46727 and write up a 4.0.5 release post --- .../2026-05-20-getaddrinfo-cve-2026-46727.md | 38 +++++++++++++++++++ .../_posts/2026-05-20-ruby-4-0-5-released.md | 12 +++++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 en/news/_posts/2026-05-20-getaddrinfo-cve-2026-46727.md diff --git a/en/news/_posts/2026-05-20-getaddrinfo-cve-2026-46727.md b/en/news/_posts/2026-05-20-getaddrinfo-cve-2026-46727.md new file mode 100644 index 0000000000..0559d2e779 --- /dev/null +++ b/en/news/_posts/2026-05-20-getaddrinfo-cve-2026-46727.md @@ -0,0 +1,38 @@ +--- +layout: news_post +title: "CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler" +author: "hsbt" +translator: +date: 2026-05-20 00:00:00 +0000 +tags: security +lang: en +--- + +A use-after-free vulnerability has been discovered in the pthread-based `getaddrinfo` timeout handler of Ruby. This vulnerability has been assigned the CVE identifier [CVE-2026-46727](https://www.cve.org/CVERecord?id=CVE-2026-46727). This issue has been fixed in Ruby 4.0.5. We recommend upgrading Ruby. + +## Details + +A race condition exists in the timeout cancellation path of `rb_getaddrinfo` used by `Addrinfo.getaddrinfo(..., timeout:)` and `Socket.tcp(..., resolv_timeout:)`. A remote attacker who can delay DNS responses near the specified timeout may cause the Ruby process to dereference freed memory and crash. + +## Recommended action + +Please update to Ruby 4.0.5 or later. + +## Workaround + +If you cannot upgrade immediately, avoid passing `timeout:` to `Addrinfo.getaddrinfo` and `resolv_timeout:` to `Socket.tcp`. + +## Affected versions + +* Ruby 4.0.0 through 4.0.4 +* Ruby 4.1.0-dev (master) before the fix + +Ruby 3.4 series and earlier are not affected. + +## Credits + +Thanks to [cantina-security](https://hackerone.com/cantina-security) for discovering this issue. Also thanks to [shioimm](https://github.com/shioimm) for creating the patch. + +## History + +* Originally published at 2026-05-20 00:00:00 (UTC) diff --git a/en/news/_posts/2026-05-20-ruby-4-0-5-released.md b/en/news/_posts/2026-05-20-ruby-4-0-5-released.md index e48d806700..b3e6dcdd68 100644 --- a/en/news/_posts/2026-05-20-ruby-4-0-5-released.md +++ b/en/news/_posts/2026-05-20-ruby-4-0-5-released.md @@ -1,7 +1,7 @@ --- layout: news_post title: "Ruby 4.0.5 Released" -author: +author: k0kubun translator: date: 2026-05-20 00:12:20 +0000 lang: en @@ -9,8 +9,18 @@ lang: en Ruby 4.0.5 has been released. +This release only contains a security fix for +[CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler](/en/news/2026/05/20/getaddrinfo-cve-2026-46727/) +and a build system regression under C locale ([[Bug #22065]](https://bugs.ruby-lang.org/issues/22065)). + Please see the [GitHub releases](https://github.com/ruby/ruby/releases/tag/v4.0.5) for further details. +## Release Schedule + +We intend to release the latest stable Ruby version (currently Ruby 4.0) every two months following the most recent *regular* release. Ruby 4.0.6 will be released in July, 4.0.7 in September, and 4.0.8 in November. + +If a change arises that significantly affects users, a release may occur earlier than planned, and the subsequent schedule may shift accordingly. + ## Download {% assign release = site.data.releases | where: "version", "4.0.5" | first %} From 5f8699986c4126cbbd0649e7a11166256b226428 Mon Sep 17 00:00:00 2001 From: Takashi Kokubun Date: Tue, 19 May 2026 17:31:28 -0700 Subject: [PATCH 3/3] Tweak the 22065 explanation --- en/news/_posts/2026-05-20-ruby-4-0-5-released.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/en/news/_posts/2026-05-20-ruby-4-0-5-released.md b/en/news/_posts/2026-05-20-ruby-4-0-5-released.md index b3e6dcdd68..891fc3d338 100644 --- a/en/news/_posts/2026-05-20-ruby-4-0-5-released.md +++ b/en/news/_posts/2026-05-20-ruby-4-0-5-released.md @@ -11,7 +11,7 @@ Ruby 4.0.5 has been released. This release only contains a security fix for [CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler](/en/news/2026/05/20/getaddrinfo-cve-2026-46727/) -and a build system regression under C locale ([[Bug #22065]](https://bugs.ruby-lang.org/issues/22065)). +and a build system regression in Ruby 4.0.4 under C locale [[Bug #22065]](https://bugs.ruby-lang.org/issues/22065). Please see the [GitHub releases](https://github.com/ruby/ruby/releases/tag/v4.0.5) for further details.