Skip to content

Translate "Ruby 3.4.7 Released" and "CVE-2025-61594" #3637

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 9, 2025
Merged

Translate "Ruby 3.4.7 Released" and "CVE-2025-61594" #3637

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2a213db
Translate "Ruby 3.4.7 Released" and "CVE-2025-61594"
Gao-Jun Oct 9, 2025
e6ef5b8
Merge branch 'master' into 3.4.7_cve_2025_61594_zh_cn
hlcfan Oct 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions zh_cn/news/_posts/2025-10-07-ruby-3-4-7-released.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
layout: news_post
title: "Ruby 3.4.7 已发布"
author: k0kubun
translator: "GAO Jun"
date: 2025-10-07 17:14:11 +0000
lang: zh_cn
---

Ruby 3.4.7 已发布。

此次更新包含了 [修复导致 CVE-2025-61594 的 uri gem](/zh_cn/news/2025/10/07/uri-cve-2025-61594/)
详情可参考 [GitHub 发布说明](https://github.com/ruby/ruby/releases/tag/v3_4_7)

我们建议您更新 `uri` gem 版本。此次发布为那些想继续将其作为默认 gem 的用户提供了便利。

## 发布计划

我们计划每2个月发布最新的 Ruby 稳定版本(目前是 Ruby 3.4)。
Ruby 3.4.8 将于十二月发布,3.4.9 将于明年二月发布。

如果存在会影响到大量用户的变更,我们可能会提前发布新版本,后续版本的发布计划也将进行相应变更。

## 下载

{% assign release = site.data.releases | where: "version", "3.4.7" | first %}

* <{{ release.url.gz }}>

文件大小: {{ release.size.gz }}
SHA1: {{ release.sha1.gz }}
SHA256: {{ release.sha256.gz }}
SHA512: {{ release.sha512.gz }}

* <{{ release.url.xz }}>

文件大小: {{ release.size.xz }}
SHA1: {{ release.sha1.xz }}
SHA256: {{ release.sha256.xz }}
SHA512: {{ release.sha512.xz }}

* <{{ release.url.zip }}>

文件大小: {{ release.size.zip }}
SHA1: {{ release.sha1.zip }}
SHA256: {{ release.sha256.zip }}
SHA512: {{ release.sha512.zip }}

## 发布说明

许多提交者、开发人员以及用户提供了问题报告,帮助我们完成了此版本。
感谢他们的贡献。
36 changes: 36 additions & 0 deletions zh_cn/news/_posts/2025-10-07-uri-cve-2025-61594.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
layout: news_post
title: "CVE-2025-61594: 绕过此前补丁的 URI 敏感信息泄漏"
author: "hsbt"
translator:
date: 2025-10-07 00:00:00 +0000
tags: security
lang: zh_cn
---

我们发布了关于 CVE-2025-61594 的安全建议。

## CVE-2025-61594: 绕过此前补丁的 URI 敏感信息泄漏

在受影响的 URI gem 版本中,对于此前 CVE-2025-27221 的修复,存在可以绕过该修复并泄漏敏感信息的漏洞。

此漏洞的 CVE 编号为 [CVE-2025-61594](https://www.cve.org/CVERecord?id=CVE-2025-61594)
我们建议您更新 `uri` gem。

### 详情

当使用 `+` 操作符拼接 URI 时,原始 URI 中的密码等敏感信息可能会被泄漏,这违反了 RFC3986 规范,并可能导致应用受到敏感信息泄漏的威胁。

请更新 `uri` gem 到 0.12.5, 0.13.3, 1.0.4 或更高版本。

### 受影响版本

* uri gem 版本 低于 0.12.5, 0.13.0 至 0.13.2 以及 1.0.0 至 1.0.3。

### 致谢

感谢 [junfuchong (chongfujun)](https://hackerone.com/chongfujun) 发现此问题。同时感谢 [nobu](https://github.com/nobu) 提供了此漏洞的补丁。

## 历史

* 最初发布于 at 2025-10-07 0:00:00 (UTC)
Loading