Sinatra 2.0.2 and 2.0.3 are out

By Kunpei Sakai on Saturday, June 9, 2018

We would like to inform you that we have released Sinatra v2.0.2 and v2.0.3.

Before we begin, I want to thank everyone who contributed, helped test pre-releases, and continues to use and support the project.

Security Fix CVE-2018-11627

Sinatra had a critical vulnerability since v2.0.0. The purpose of this release is to fix CVE-2018-11627.

The vulnerability is that XSS can be executed by using illegal parameters. The issue was reported by @JokerCatz. Thank you so much.

If you’re using Sinatra v2.0.x, please upgrade to v2.0.2 or later.’

Releases

This release includes the release of the following gems, and associated versions:

  • sinatra: v2.0.2, v2.0.3
  • sintra-contrib: v2.0.2, v2.0.3
  • rack-protection: v2.0.2, v2.0.3

What is the difference between v2.0.3 and v2.0.2 ?

In sinatra-contrib v2.0.2, a critical regression was found for the backports gem. Version 2.0.3 fixes the issue by merging a patch sent by author of the backports gem.

We thank everyone who reported and confirmed the issue.

Changes

Find out what’s new in v2.0.2 and v2.0.3 in CHANGELOG.md

Thank you

Thank you everyone who has contributed over the years to this project, and continues to ensure it lives on. Finally, I am deeply grateful to Shota Iguchi who worked on the v2.0.2 improvement.