We should consider rebase to the latest Ruby 2.4 release: https://www.ruby-lang.org/en/news/2017/03/22/ruby-2-4-1-released/
Latest Ruby 2.4 release: https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-4-2-released/ Contains fixes for: - Bug CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf - Bug CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick - Bug CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode - Bug CVE-2017-14064: Heap exposure in generating JSON - Multiple vulnerabilities in RubyGems
We should really ship ruby 2.4.2 with SCL. What can we do to get traction on this? 2.4.0 and 2.4.1 have serious bugs affecting ManageIQ and probably other people. We cannot use ruby 2.4 from SCL in ManageIQ/CloudForms unless it's rebased to 2.4.2+. 1) When executing instance_exec with symbol.to_proc, it ignores first argument https://bugs.ruby-lang.org/issues/13074 This breaks factory_girl and other instance_exec code: https://github.com/thoughtbot/factory_girl/issues/980 Fixed in 2.4.1 2) Memory leak recycling stacks for threads in 2.4.1 https://bugs.ruby-lang.org/issues/13772 Unbound memory growth in 2.4.1 affecting rest-client and possibly other code run in threads. https://github.com/rest-client/rest-client/issues/611 Fixed in ruby 2.4.2. 3) Additionally, the above mentioned CVEs.
I think async update would make sense here. What is the urgency of this request, Joe?