Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                  New Ruby bulletin: Ruby 2.7.0 Released
                              2 January 2020


        AusCERT Security Bulletin Summary

Product:           ruby
Publisher:         ruby
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Reduced Security -- Unknown/Unspecified
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Ruby 2.7.0 Released

Posted by naruse on 25 Dec 2019

We are pleased to announce the release of Ruby 2.7.0.

It introduces a number of new features and performance improvements, most

  o Pattern Matching
  o REPL improvement
  o Compaction GC
  o Separation of positional and keyword arguments

Pattern Matching [Experimental]

Pattern matching, a widely used feature in functional programming languages, is
introduced as an experimental feature. [Feature #14912]

It can traverse a given object and assign its value if it matches a pattern.

require "json"

json = <<END
  "name": "Alice",
  "age": 30,
  "children": [{ "name": "Bob", "age": 2 }]

case JSON.parse(json, symbolize_names: true)
in {name: "Alice", children: [{name: "Bob", age: age}]}
  p age #=> 2

For more details, please see Pattern matching - New feature in Ruby 2.7 .

REPL improvement

irb , the bundled interactive environment (REPL; Read-Eval-Print-Loop), now
supports multi-line editing. It is powered by reline , a readline -compatible
library implemented in pure Ruby. It also provides rdoc integration. In irb you
can display the reference for a given class, module, or method. [Feature #
14683] , [Feature #14787] , [Feature #14918]

Besides, source lines shown by Binding#irb and inspect results for core-class
objects are now colorized.

Compaction GC

This release introduces Compaction GC which can defragment a fragmented memory

Some multi-threaded Ruby programs may cause memory fragmentation, leading to
high memory usage and degraded speed.

The GC.compact method is introduced for compacting the heap. This function
compacts live objects in the heap so that fewer pages may be used, and the heap
may be more CoW (copy-on-write) friendly. [Feature #15626]

Separation of positional and keyword arguments

Automatic conversion of keyword arguments and positional arguments is
deprecated, and conversion will be removed in Ruby 3. [Feature #14183]

See the article    Separation of positional and keyword arguments in Ruby 3.0  
  in detail. Only the changes are as follows.

  o When a method call passes a Hash at the last argument, and when it passes
    no keywords, and when the called method accepts keywords, a warning is
    emitted. To continue treating the hash as keywords, add a double splat
    operator to avoid the warning and ensure correct behavior in Ruby 3.

  def foo(key: 42); end; foo({key: 42})   # warned
  def foo(**kw);    end; foo({key: 42})   # warned
  def foo(key: 42); end; foo(**{key: 42}) # OK
  def foo(**kw);    end; foo(**{key: 42}) # OK

  o When a method call passes keywords to a method that accepts keywords, but
    it does not pass enough required positional arguments, the keywords are
    treated as a final required positional argument, and a warning is emitted.
    Pass the argument as a hash instead of keywords to avoid the warning and
    ensure correct behavior in Ruby 3.

  def foo(h, **kw); end; foo(key: 42)      # warned
  def foo(h, key: 42); end; foo(key: 42)   # warned
  def foo(h, **kw); end; foo({key: 42})    # OK
  def foo(h, key: 42); end; foo({key: 42}) # OK

  o When a method accepts specific keywords but not a keyword splat, and a hash
    or keywords splat is passed to the method that includes both Symbol and
    non-Symbol keys, the hash will continue to be split, and a warning will be
    emitted. You will need to update the calling code to pass separate hashes
    to ensure correct behavior in Ruby 3.

  def foo(h={}, key: 42); end; foo("key" => 43, key: 42)   # warned
  def foo(h={}, key: 42); end; foo({"key" => 43, key: 42}) # warned
  def foo(h={}, key: 42); end; foo({"key" => 43}, key: 42) # OK

  o If a method does not accept keywords, and is called with keywords, the
    keywords are still treated as a positional hash, with no warning. This
    behavior will continue to work in Ruby 3.

  def foo(opt={});  end; foo( key: 42 )   # OK

  o Non-symbols are allowed as keyword argument keys if the method accepts
    arbitrary keywords. [Feature #14183]

  def foo(**kw); p kw; end; foo("str" => 1) #=> {"str"=>1}

  o **nil is allowed in method definitions to explicitly mark that the method
    accepts no keywords. Calling such a method with keywords will result in an
    ArgumentError. [Feature #14183]

  def foo(h, **nil); end; foo(key: 1)       # ArgumentError
  def foo(h, **nil); end; foo(**{key: 1})   # ArgumentError
  def foo(h, **nil); end; foo("str" => 1)   # ArgumentError
  def foo(h, **nil); end; foo({key: 1})     # OK
  def foo(h, **nil); end; foo({"str" => 1}) # OK

  o Passing an empty keyword splat to a method that does not accept keywords no
    longer passes an empty hash, unless the empty hash is necessary for a
    required parameter, in which case a warning will be emitted. Remove the
    double splat to continue passing a positional hash. [Feature #14183]

  h = {}; def foo(*a) a end; foo(**h) # []
  h = {}; def foo(a) a end; foo(**h)  # {} and warning
  h = {}; def foo(*a) a end; foo(h)   # [{}]
  h = {}; def foo(a) a end; foo(h)    # {}

If you want to disable the deprecation warnings, please use a command-line
argument -W:no-deprecated or add Warning[:deprecated] = false to your code.

Other Notable New Features

  o Numbered parameters as default block parameters are introduced. [Feature #

  o A beginless range is experimentally introduced. It might not be as useful
    as an endless range, but would be good for DSL purposes. [Feature #14799]

  ary[..3]  # identical to ary[0..3]
  rel.where(sales: ..100)

  o Enumerable#tally is added. It counts the occurrence of each element.

  ["a", "b", "c", "b"].tally
  #=> {"a"=>1, "b"=>2, "c"=>1}

  o Calling a private method with a literal self as the receiver is now
    allowed. [Feature #11297] , [Feature #16123]

  def foo
  private :foo

  o Enumerator::Lazy#eager is added. It generates a non-lazy enumerator from a
    lazy enumerator. [Feature #15901]

  a = %w(foo bar baz)
  e = a.lazy.map {|x| x.upcase }.map {|x| x + "!" }.eager
  p e.class               #=> Enumerator
  p e.map {|x| x + "" }  #=> ["FOO!", "BAR!", "BAZ!"]

Performance improvements

  o JIT [Experimental]

       JIT-ed code is recompiled to less-optimized code when an optimization
        assumption is invalidated.

       Method inlining is performed when a method is considered as pure. This
        optimization is still experimental and many methods are NOT considered
        as pure yet.

       The default value of --jit-min-calls is changed from 5 to 10,000.

       The default value of --jit-max-cache is changed from 1,000 to 100.

  o Fiber  s cache strategy is changed and fiber creation is speeded up.

  o Module#name , true.to_s , false.to_s , and nil.to_s now always return a
    frozen String. The returned String is always the same for a given object.
    [Experimental] [Feature #16150]

  o The performance of CGI.escapeHTML is improved. GH-2226

  o The performance of Monitor and MonitorMixin is improved. [Feature #16255]

  o Per-call-site method cache, which has been there since around 1.9, was
    improved: cache hit rate raised from 89% to 94%. See GH-2583

  o RubyVM::InstructionSequence#to_binary method generates compiled binary. The
    binary size is reduced. [Feature #16163]

Other notable changes since 2.6

  o Some standard libraries are updated.
       Bundler 2.1.2 ( Release note )
       RubyGems 3.1.2
           ( Release note for 3.1.0 )
           ( Release note for 3.1.1 )
           ( Release note for 3.1.2 )
       Racc 1.4.15
       CSV 3.1.2 ( NEWS )
       REXML 3.2.3 ( NEWS )
       RSS 0.2.8 ( NEWS )
       StringScanner 1.0.3
       Some other libraries that have no original version are also updated.
  o The following libraries are no longer bundled gems. Install corresponding
    gems to use these features.
       CMath (cmath gem)
       Scanf (scanf gem)
       Shell (shell gem)
       Synchronizer (sync gem)
       ThreadsWait (thwait gem)
       E2MM (e2mmap gem)
  o profile.rb was removed from standard library.

  o Promote stdlib to default gems
       The following default gems were published on rubygems.org
       The following default gems were only promoted at ruby-core, but not yet
        published on rubygems.org.
  o Proc.new and proc with no block in a method called with a block is warned

  o lambda with no block in a method called with a block raises an exception.

  o Update Unicode version and Emoji version from 11.0.0 to 12.0.0. [Feature #

  o Update Unicode version to 12.1.0, adding support for U+32FF SQUARE ERA NAME
    REIWA. [Feature #15195]

  o Date.jisx0301 , Date#jisx0301 , and Date.parse support the new Japanese
    era. [Feature #15742]

  o Require compilers to support C99. [Misc #15347]
       Details of our dialect: https://bugs.ruby-lang.org/projects/ruby-trunk/

See NEWS or commit logs for more details.

With those changes, 4190 files changed, 227498 insertions(+), 99979 deletions
(-) since Ruby 2.6.0!

Merry Christmas, Happy Holidays, and enjoy programming with Ruby 2.7!


  o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.0.tar.bz2

    SIZE: 14703381
    SHA1: b54f4633174dbc55db77d9fd6d0ef90cc35503af
    SHA256: 7aa247a19622a803bdd29fdb28108de9798abe841254fe8ea82c31d125c6ab26
    SHA512: 8b8dd0ceba65bdde53b7c59e6a84bc6bf634c676bfeb2ff0b3604c362c663b465397f31ff6c936441b3daabb78fb7a619be5569480c95f113dd0453488761ce7

  o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.0.tar.gz

    SIZE: 16799684
    SHA1: 6f4e99b5556010cb27e236873cb8c09eb8317cd5
    SHA256: 8c99aa93b5e2f1bc8437d1bbbefd27b13e7694025331f77245d0c068ef1f8cbe
    SHA512: 973fc29b7c19e96c5299817d00fbdd6176319468abfca61c12b5e177b0fb0d31174a5a5525985122a7a356091a709f41b332454094940362322d1f42b77c9927

  o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.0.tar.xz

    SIZE: 11990900
    SHA1: 943c767cec037529b8e2d3cc14fc880cad5bad8d
    SHA256: 27d350a52a02b53034ca0794efe518667d558f152656c2baaf08f3d0c8b02343
    SHA512: dd5690c631bf3a2b76cdc06902bcd76a89713a045e136debab9b8a81ff8c433bbb254aa09e4014ca1cf85a69ff4bcb13de11da5e40c224e7268be43ef2194af7

  o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.0.zip

    SIZE: 20571744
    SHA1: fbebdd3a2a641f9a81f7d8db5abd926acea27e80
    SHA256: 8bf2050fa1fc76882f878fd526e4184dc54bd402e385efa80ef5fd3b810522e0
    SHA512: 5060f2dd3bfd271ef255b17589d6d014260d7ec2d97b48112b717ee01c62fe125c3fe04f813e02d607cea3f0a2a812b14eb3a28d06c2551354dfeff5f4c3dd6b

What is Ruby

Ruby was first developed by Matz (Yukihiro Matsumoto) in 1993, and is now
developed as Open Source. It runs on multiple platforms and is used all over
the world especially for web development.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967