Copy related news from en

Author: riseshia

ko/news/_posts/2022-04-12-buffer-overrun-in-string-to-float-cve-2022-28739.md

@@ -0,0 +1,35 @@
+---
+layout: news_post
+title: "CVE-2022-28739: Buffer overrun in String-to-Float conversion"
+author: "mame"
+translator:
+date: 2022-04-12 12:00:00 +0000
+tags: security
+lang: en
+---
+
+A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float.
+This vulnerability has been assigned the CVE identifier [CVE-2022-28739](https://nvd.nist.gov/vuln/detail/CVE-2022-28739).
+We strongly recommend upgrading Ruby.
+
+## Details
+
+Due to a bug in an internal function that converts a String to a Float, some conversion methods like `Kernel#Float` and `String#to_f` could cause buffer over-read.
+A typical consequence is a process termination due to segmentation fault, but under limited circumstances, it may be exploitable for illegal memory read.
+
+Please update Ruby to 2.6.10, 2.7.6, 3.0.4, or 3.1.2.
+
+## Affected versions
+
+* ruby 2.6.9 or prior
+* ruby 2.7.5 or prior
+* ruby 3.0.3 or prior
+* ruby 3.1.1 or prior
+
+## Credits
+
+Thanks to [piao](https://hackerone.com/piao?type=user) for discovering this issue.
+
+## History
+
+* Originally published at 2022-04-12 12:00:00 (UTC)

ko/news/_posts/2022-04-12-double-free-in-regexp-compilation-cve-2022-28738.md

@@ -0,0 +1,35 @@
+---
+layout: news_post
+title: "CVE-2022-28738: Double free in Regexp compilation"
+author: "mame"
+translator:
+date: 2022-04-12 12:00:00 +0000
+tags: security
+lang: en
+---
+
+A double-free vulnerability is discovered in Regexp compilation.
+This vulnerability has been assigned the CVE identifier [CVE-2022-28738](https://nvd.nist.gov/vuln/detail/CVE-2022-28738).
+We strongly recommend upgrading Ruby.
+
+## Details
+
+Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a "double free" vulnerability.
+Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability.
+
+Please update Ruby to 3.0.4, or 3.1.2.
+
+## Affected versions
+
+* ruby 3.0.3 or prior
+* ruby 3.1.1 or prior
+
+Note that ruby 2.6 series and 2.7 series are not affected.
+
+## Credits
+
+Thanks to [piao](https://hackerone.com/piao?type=user) for discovering this issue.
+
+## History
+
+* Originally published at 2022-04-12 12:00:00 (UTC)

ko/news/_posts/2022-04-12-ruby-2-6-10-released.md

@@ -0,0 +1,59 @@
+---
+layout: news_post
+title: "Ruby 2.6.10 Released"
+author: "usa and mame"
+translator:
+date: 2022-04-12 12:00:00 +0000
+lang: en
+---
+
+Ruby 2.6.10 has been released.
+
+This release includes a security fix.
+Please check the topics below for details.
+
+* [CVE-2022-28739: Buffer overrun in String-to-Float conversion]({%link en/news/_posts/2022-04-12-buffer-overrun-in-string-to-float-cve-2022-28739.md %})
+
+This release also includes a fix of a build problem with very old compilers and a fix of a regression of date library.
+See the [commit logs](https://github.com/ruby/ruby/compare/v2_6_9...v2_6_10) for further details.
+
+After this release, Ruby 2.6 reaches EOL. In other words, this is expected to be the last release of Ruby 2.6 series.
+We will not release Ruby 2.6.11 even if a security vulnerability is found (but could release if a severe regression is found).
+We recommend all Ruby 2.6 users to start migration to Ruby 3.1, 3.0, or 2.7 immediately.
+
+## Download
+
+{% assign release = site.data.releases | where: "version", "2.6.10" | first %}
+
+* <{{ release.url.bz2 }}>
+
+      SIZE: {{ release.size.bz2 }}
+      SHA1: {{ release.sha1.bz2 }}
+      SHA256: {{ release.sha256.bz2 }}
+      SHA512: {{ release.sha512.bz2 }}
+
+* <{{ release.url.gz }}>
+
+      SIZE: {{ release.size.gz }}
+      SHA1: {{ release.sha1.gz }}
+      SHA256: {{ release.sha256.gz }}
+      SHA512: {{ release.sha512.gz }}
+
+* <{{ release.url.xz }}>
+
+      SIZE: {{ release.size.xz }}
+      SHA1: {{ release.sha1.xz }}
+      SHA256: {{ release.sha256.xz }}
+      SHA512: {{ release.sha512.xz }}
+
+* <{{ release.url.zip }}>
+
+      SIZE: {{ release.size.zip }}
+      SHA1: {{ release.sha1.zip }}
+      SHA256: {{ release.sha256.zip }}
+      SHA512: {{ release.sha512.zip }}
+
+## Release Comment
+
+Many committers, developers, and users who provided bug reports helped us make this release.
+Thanks for their contributions.

ko/news/_posts/2022-04-12-ruby-2-7-6-released.md

@@ -0,0 +1,64 @@
+---
+layout: news_post
+title: "Ruby 2.7.6 Released"
+author: "usa and mame"
+translator:
+date: 2022-04-12 12:00:00 +0000
+lang: en
+---
+
+Ruby 2.7.6 has been released.
+
+This release includes a security fix.
+Please check the topics below for details.
+
+* [CVE-2022-28739: Buffer overrun in String-to-Float conversion]({%link en/news/_posts/2022-04-12-buffer-overrun-in-string-to-float-cve-2022-28739.md %})
+
+This release also includes some bug fixes.
+See the [commit logs](https://github.com/ruby/ruby/compare/v2_7_5...v2_7_6) for further details.
+
+After this release, we end the normal maintenance phase of Ruby 2.7, and Ruby 2.7 enters the security maintenance phase.
+This means that we will no longer backport any bug fixes to Ruby 2.7 except security fixes.
+
+The term of the security maintenance phase is scheduled for a year.
+Ruby 2.7 reaches EOL and its official support ends by the end of the security maintenance phase.
+Therefore, we recommend that you start to plan upgrade to Ruby 3.0 or 3.1.
+
+## Download
+
+{% assign release = site.data.releases | where: "version", "2.7.6" | first %}
+
+* <{{ release.url.bz2 }}>
+
+      SIZE: {{ release.size.bz2 }}
+      SHA1: {{ release.sha1.bz2 }}
+      SHA256: {{ release.sha256.bz2 }}
+      SHA512: {{ release.sha512.bz2 }}
+
+* <{{ release.url.gz }}>
+
+      SIZE: {{ release.size.gz }}
+      SHA1: {{ release.sha1.gz }}
+      SHA256: {{ release.sha256.gz }}
+      SHA512: {{ release.sha512.gz }}
+
+* <{{ release.url.xz }}>
+
+      SIZE: {{ release.size.xz }}
+      SHA1: {{ release.sha1.xz }}
+      SHA256: {{ release.sha256.xz }}
+      SHA512: {{ release.sha512.xz }}
+
+* <{{ release.url.zip }}>
+
+      SIZE: {{ release.size.zip }}
+      SHA1: {{ release.sha1.zip }}
+      SHA256: {{ release.sha256.zip }}
+      SHA512: {{ release.sha512.zip }}
+
+## Release Comment
+
+Many committers, developers, and users who provided bug reports helped us make this release.
+Thanks for their contributions.
+
+The maintenance of Ruby 2.7, including this release, is based on the "Agreement for the Ruby stable version" of the Ruby Association.

ko/news/_posts/2022-04-12-ruby-3-0-4-released.md

@@ -0,0 +1,48 @@
+---
+layout: news_post
+title: "Ruby 3.0.4 Released"
+author: "nagachika and mame"
+translator:
+date: 2022-04-12 12:00:00 +0000
+lang: en
+---
+
+Ruby 3.0.4 has been released.
+
+This release includes security fixes.
+Please check the topics below for details.
+
+* [CVE-2022-28738: Double free in Regexp compilation]({%link en/news/_posts/2022-04-12-double-free-in-regexp-compilation-cve-2022-28738.md %})
+* [CVE-2022-28739: Buffer overrun in String-to-Float conversion]({%link en/news/_posts/2022-04-12-buffer-overrun-in-string-to-float-cve-2022-28739.md %})
+
+See the [commit logs](https://github.com/ruby/ruby/compare/v3_0_3...v3_0_4) for further details.
+
+## Download
+
+{% assign release = site.data.releases | where: "version", "3.0.4" | first %}
+
+* <{{ release.url.gz }}>
+
+      SIZE: {{ release.size.gz }}
+      SHA1: {{ release.sha1.gz }}
+      SHA256: {{ release.sha256.gz }}
+      SHA512: {{ release.sha512.gz }}
+
+* <{{ release.url.xz }}>
+
+      SIZE: {{ release.size.xz }}
+      SHA1: {{ release.sha1.xz }}
+      SHA256: {{ release.sha256.xz }}
+      SHA512: {{ release.sha512.xz }}
+
+* <{{ release.url.zip }}>
+
+      SIZE: {{ release.size.zip }}
+      SHA1: {{ release.sha1.zip }}
+      SHA256: {{ release.sha256.zip }}
+      SHA512: {{ release.sha512.zip }}
+
+## Release Comment
+
+Many committers, developers, and users who provided bug reports helped us make this release.
+Thanks for their contributions.

ko/news/_posts/2022-04-12-ruby-3-1-2-released.md

@@ -0,0 +1,48 @@
+---
+layout: news_post
+title: "Ruby 3.1.2 Released"
+author: "naruse and mame"
+translator:
+date: 2022-04-12 12:00:00 +0000
+lang: en
+---
+
+Ruby 3.1.2 has been released.
+
+This release includes security fixes.
+Please check the topics below for details.
+
+* [CVE-2022-28738: Double free in Regexp compilation]({%link en/news/_posts/2022-04-12-double-free-in-regexp-compilation-cve-2022-28738.md %})
+* [CVE-2022-28739: Buffer overrun in String-to-Float conversion]({%link en/news/_posts/2022-04-12-buffer-overrun-in-string-to-float-cve-2022-28739.md %})
+
+See the [commit logs](https://github.com/ruby/ruby/compare/v3_1_1...v3_1_2) for further details.
+
+## Download
+
+{% assign release = site.data.releases | where: "version", "3.1.2" | first %}
+
+* <{{ release.url.gz }}>
+
+      SIZE: {{ release.size.gz }}
+      SHA1: {{ release.sha1.gz }}
+      SHA256: {{ release.sha256.gz }}
+      SHA512: {{ release.sha512.gz }}
+
+* <{{ release.url.xz }}>
+
+      SIZE: {{ release.size.xz }}
+      SHA1: {{ release.sha1.xz }}
+      SHA256: {{ release.sha256.xz }}
+      SHA512: {{ release.sha512.xz }}
+
+* <{{ release.url.zip }}>
+
+      SIZE: {{ release.size.zip }}
+      SHA1: {{ release.sha1.zip }}
+      SHA256: {{ release.sha256.zip }}
+      SHA512: {{ release.sha512.zip }}
+
+## Release Comment
+
+Many committers, developers, and users who provided bug reports helped us make this release.
+Thanks for their contributions.