Skip to content

Create release for 4.0.5 #3942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
k0kubun merged 3 commits into from
May 20, 2026
+115 −1
Merged

Create release for 4.0.5 #3942

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7a4f196
Create release for 4.0.5
github-actions[bot] May 20, 2026
37386ae
Add cve-2026-46727 and write up a 4.0.5 release post
k0kubun May 20, 2026
5f86999
Tweak the 22065 explanation
k0kubun May 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion _data/downloads.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ preview:

stable:

- 4.0.4
- 4.0.5
- 3.4.9
- 3.3.11
- 3.2.11
Expand Down
24 changes: 24 additions & 0 deletions _data/releases.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,30 @@

# 4.0 series

- version: 4.0.5
date: 2026-05-20
post: /en/news/2026/05/20/ruby-4-0-5-released/
url:
gz: https://cache.ruby-lang.org/pub/ruby/4.0/ruby-4.0.5.tar.gz
zip: https://cache.ruby-lang.org/pub/ruby/4.0/ruby-4.0.5.zip
xz: https://cache.ruby-lang.org/pub/ruby/4.0/ruby-4.0.5.tar.xz
size:
gz: 23818557
zip: 29122529
xz: 17893756
sha1:
gz: efa77332e323c15a86e1a25a3ae53bd21972672c
zip: cda48124428ae33497f191bb676c8022615ab91e
xz: 58216f1858feed4e2dbd2719a0a7ae807563b428
sha256:
gz: 7d6149079a63f8ae1d326c9fa65c6019ba2dc3155eae7b39159817911c88958e
zip: 605f8b22e12f5cfc3f4a48850a7fe7dc9b010002d2c994d7508f38c63d2c0ff8
xz: 5dc5521ea54c726e6cc10b1b5a0f4004b27b482e61c04c99aed79315e30895e5
sha512:
gz: ce50c8dda1479f5a84771df37cdb23f0183bba900494e7492bb90d4b0a3e60ff28b799f3c469977f5f7c1335a6c1f3400a9ca52cd4acfcbed08f016d352943f4
zip: c4faaefa386bb33dc4cb3994d740b0c8b4756726351df6cc0850dbd2598f3ba51dcfb38bd61d91f63adf3612bb5f6dbd727446caf9af78f5df36e7d31ecf113a
xz: 379d78a6d1af0455df60da46551f43438ad3ee81f83787554fc34cb1c8febb1bd363e3dc1a057b34a69f96526efc308d3dccc4b87d368897c2d1ccf179096463

- version: 4.0.4
date: 2026-05-11
post: /en/news/2026/05/11/ruby-4-0-4-released/
Expand Down
38 changes: 38 additions & 0 deletions en/news/_posts/2026-05-20-getaddrinfo-cve-2026-46727.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
layout: news_post
title: "CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler"
author: "hsbt"
translator:
date: 2026-05-20 00:00:00 +0000
tags: security
lang: en
---

A use-after-free vulnerability has been discovered in the pthread-based `getaddrinfo` timeout handler of Ruby. This vulnerability has been assigned the CVE identifier [CVE-2026-46727](https://www.cve.org/CVERecord?id=CVE-2026-46727). This issue has been fixed in Ruby 4.0.5. We recommend upgrading Ruby.

## Details

A race condition exists in the timeout cancellation path of `rb_getaddrinfo` used by `Addrinfo.getaddrinfo(..., timeout:)` and `Socket.tcp(..., resolv_timeout:)`. A remote attacker who can delay DNS responses near the specified timeout may cause the Ruby process to dereference freed memory and crash.

## Recommended action

Please update to Ruby 4.0.5 or later.

## Workaround

If you cannot upgrade immediately, avoid passing `timeout:` to `Addrinfo.getaddrinfo` and `resolv_timeout:` to `Socket.tcp`.

## Affected versions

* Ruby 4.0.0 through 4.0.4
* Ruby 4.1.0-dev (master) before the fix

Ruby 3.4 series and earlier are not affected.

## Credits

Thanks to [cantina-security](https://hackerone.com/cantina-security) for discovering this issue. Also thanks to [shioimm](https://github.com/shioimm) for creating the patch.

## History

* Originally published at 2026-05-20 00:00:00 (UTC)
52 changes: 52 additions & 0 deletions en/news/_posts/2026-05-20-ruby-4-0-5-released.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
layout: news_post
title: "Ruby 4.0.5 Released"
author: k0kubun
translator:
date: 2026-05-20 00:12:20 +0000
lang: en
---

Ruby 4.0.5 has been released.

This release only contains a security fix for
[CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler](/en/news/2026/05/20/getaddrinfo-cve-2026-46727/)
and a build system regression in Ruby 4.0.4 under C locale [[Bug #22065]](https://bugs.ruby-lang.org/issues/22065).

Please see the [GitHub releases](https://github.com/ruby/ruby/releases/tag/v4.0.5) for further details.

## Release Schedule

We intend to release the latest stable Ruby version (currently Ruby 4.0) every two months following the most recent *regular* release. Ruby 4.0.6 will be released in July, 4.0.7 in September, and 4.0.8 in November.

If a change arises that significantly affects users, a release may occur earlier than planned, and the subsequent schedule may shift accordingly.

## Download

{% assign release = site.data.releases | where: "version", "4.0.5" | first %}

* <{{ release.url.gz }}>

SIZE: {{ release.size.gz }}
SHA1: {{ release.sha1.gz }}
SHA256: {{ release.sha256.gz }}
SHA512: {{ release.sha512.gz }}

* <{{ release.url.xz }}>

SIZE: {{ release.size.xz }}
SHA1: {{ release.sha1.xz }}
SHA256: {{ release.sha256.xz }}
SHA512: {{ release.sha512.xz }}

* <{{ release.url.zip }}>

SIZE: {{ release.size.zip }}
SHA1: {{ release.sha1.zip }}
SHA256: {{ release.sha256.zip }}
SHA512: {{ release.sha512.zip }}

## Release Comment

Many committers, developers, and users who provided bug reports helped us make this release.
Thanks for their contributions.