Ruby

Ruby 1.9.2-p330 Released

Posted by zzak and hone on 19 Aug 2014

We have released 1.9.2-p330, the final release of the 1.9.2 series.

Soon after announcing the End of Life for 1.9.2 (and 1.8.7), a critical security regression was found in 1.9.2. This vulnerability has been assigned the CVE identifier CVE-2014-6438.

This bug occurs when parsing a long string is using the URI method decode_www_form_component. This can be reproduced by running the following on vulnerable Rubies:

ruby -v -ruri -e'URI.decode_www_form_component "A string that causes catastrophic backtracking as it gets longer %"'

Since it was found and patched just before the release of 1.9.3, versions of Ruby 1.9.3-p0 and later are not affected; however versions of Ruby 1.9.2 older than 1.9.2-p330 are affected.

You can read the original report on the bug tracker: https://bugs.ruby-lang.org/issues/5149#note-4

Download

We encourage you to upgrade to a stable and maintained version of Ruby.

Recent News

Ruby 4.0.0 Released

We are pleased to announce the release of Ruby 4.0.0. Ruby 4.0 introduces “Ruby Box” and “ZJIT”, and adds many improvements.

Posted by naruse on 25 Dec 2025

A New Look for Ruby's Documentation

Following the ruby-lang.org redesign, we have more news to celebrate Ruby’s 30th anniversary: docs.ruby-lang.org has a completely new look with Aliki—RDoc’s new default theme.

Posted by Stan Lo on 23 Dec 2025

Redesign our Site Identity

We are excited to announce a comprehensive redesign of our site. The design for this update was created by Taeko Akatsuka.

Posted by Hiroshi SHIBATA on 22 Dec 2025

Ruby 4.0.0 preview3 Released

We are pleased to announce the release of Ruby 4.0.0-preview3. Ruby 4.0 introduces Ruby::Box and “ZJIT”, and adds many improvements.

Posted by naruse on 18 Dec 2025

More News...