Update version to 2.7.4

eregon · eregon · commit 74373774aae1 · 2021-09-09T14:30:58.000+02:00
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-2.7.3
+2.7.4
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -54,6 +54,10 @@ Changes:
 * `foreign_object.keys` no longer returns members, use `foreign_object.instance_variables` or `foreign_object.methods` instead.
 * `foreign_object.respond_to?(:class)` is now always true (before it was only for Java classes), since the method is always defined.
 
+Security:
+
+* Updated to Ruby 2.7.4 to fix CVE-2021-31810, CVE-2021-32066 and CVE-2021-31799.
+
 # 21.2.0
 
 New features:
diff --git a/doc/legal/legal.md b/doc/legal/legal.md
@@ -19,7 +19,7 @@ See `epl-2.0.txt`, `gpl-2.txt`, `lgpl-2.1.txt`.
 ## MRI
 
 The standard implementation of Ruby is MRI. TruffleRuby contains code from MRI
-version 2.7.3, including:
+version 2.7.4, including:
 
 * the standard library in `lib/mri`, 
 * Ruby C extension API in `lib/cext/include` and `src/main/c/cext`, 
diff --git a/doc/user/compatibility.md b/doc/user/compatibility.md
@@ -7,7 +7,7 @@ permalink: /reference-manual/ruby/Compatibility/
 # Compatibility
 
 TruffleRuby aims to be fully compatible with the standard implementation of
-Ruby, MRI, version 2.7.3, [including C extensions](#c-extension-compatibility).
+Ruby, MRI, version 2.7.4, [including C extensions](#c-extension-compatibility).
 TruffleRuby is still in development, so it is not 100% compatible yet.
 
 Any incompatibility with MRI is considered a bug, except for rare cases detailed below.
diff --git a/doc/user/known-cves.md b/doc/user/known-cves.md
@@ -33,6 +33,9 @@ Cross-reference with the details on [the MRI website](https://www.ruby-lang.org/
 
 Number | Description | Their Mitigation | Test | Our Mitigation
 --- | --- | --- | --- | ---
+CVE-2021-31810 | Trusting FTP PASV responses vulnerability in Net::FTP | [Fix](https://github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469) | [Test](https://github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469) | Same
+CVE-2021-32066 | A StartTLS stripping vulnerability in Net::IMAP | [Fix](https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a) | [Test](https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a) | Same
+CVE-2021-31799 | A command injection vulnerability in RDoc | [Fix](https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7) [Backport](https://github.com/ruby/ruby/commit/483f303d02e768b69e476e0b9be4ab2f26389522) | [Test](https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7) | Same
 CVE-2021-28966 | Path traversal in Tempfile on Windows | Sanitization of paths in tmpdir.rb | In `test/mri/tests/test_tmpdir.rb` | Sanitization of paths in tmpdir.rb
 CVE-2021-28965 | XML round-trip vulnerability in REXML | Update to REXML 3.2.5 | In ruby/rexml | Update to REXML 3.2.5
 CVE-2020-10663 | Unsafe Object Creation Vulnerability in JSON (Additional fix) | [Fix](https://bugs.ruby-lang.org/issues/16698) | [Spec](https://github.com/ruby/spec/pull/764) | The pure Ruby version of JSON we use is safe
diff --git a/lib/cext/ABI_check.txt b/lib/cext/ABI_check.txt
@@ -1 +1 @@
-7
+1
diff --git a/lib/cext/ABI_version.txt b/lib/cext/ABI_version.txt
@@ -1 +1 @@
-11
+1
diff --git a/src/shared/java/org/truffleruby/shared/TruffleRuby.java b/src/shared/java/org/truffleruby/shared/TruffleRuby.java
@@ -17,7 +17,7 @@ public class TruffleRuby {
     public static final String LANGUAGE_ID = "ruby";
     public static final String EXTENSION = ".rb";
     public static final String ENGINE_ID = "truffleruby";
-    public static final String LANGUAGE_VERSION = "2.7.3";
+    public static final String LANGUAGE_VERSION = "2.7.4";
     public static final String LANGUAGE_REVISION = BuildInformationImpl.INSTANCE.getFullRevision();
     public static final String BOOT_SOURCE_NAME = "main_boot_source";
     public static final String RUBY_COPYRIGHT = "truffleruby - Copyright (c) 2013-" +
diff --git a/test/truffle/gems/default-bundled-gems/Gemfile b/test/truffle/gems/default-bundled-gems/Gemfile
@@ -33,7 +33,7 @@ gem "prime", "0.1.1"
 gem "pstore", "0.1.0"
 gem "psych", "3.1.0"
 gem "racc", "1.4.16"
-gem "rdoc", "6.2.1"
+gem "rdoc", "6.2.1.1"
 gem "readline", "0.0.2"
 gem "readline-ext", "0.1.0"
 gem "reline", "0.2.3"
diff --git a/test/truffle/gems/default-bundled-gems/Gemfile.lock b/test/truffle/gems/default-bundled-gems/Gemfile.lock
@@ -39,7 +39,7 @@ GEM
     psych (3.1.0)
     racc (1.4.16)
     rake (13.0.1)
-    rdoc (6.2.1)
+    rdoc (6.2.1.1)
     readline (0.0.2)
       reline
     readline-ext (0.1.0)
@@ -102,7 +102,7 @@ DEPENDENCIES
   psych (= 3.1.0)
   racc (= 1.4.16)
   rake (= 13.0.1)
-  rdoc (= 6.2.1)
+  rdoc (= 6.2.1.1)
   readline (= 0.0.2)
   readline-ext (= 0.1.0)
   reline (= 0.2.3)
diff --git a/versions.json b/versions.json
@@ -6,7 +6,7 @@
       "gem": "3.1.6",
       "irb": "1.3.3",
       "racc": "1.4.16",
-      "rdoc": "6.2.1",
+      "rdoc": "6.2.1.1",
       "did_you_mean": "1.4.0"
     },
 
