Sinatra 2.0.2 and 2.0.3 are out
We would like to inform you that we have released Sinatra v2.0.2 and v2.0.3.
Before we begin, I want to thank everyone who contributed, helped test pre-releases, and continues to use and support the project.
Security Fix CVE-2018-11627
Sinatra had a critical vulnerability since v2.0.0. The purpose of this release is to fix CVE-2018-11627.
The vulnerability is that XSS can be executed by using illegal parameters. The issue was reported by @JokerCatz. Thank you so much.
If you’re using Sinatra v2.0.x, please upgrade to v2.0.2 or later.’
This release includes the release of the following gems, and associated versions:
sinatra: v2.0.2, v2.0.3
sintra-contrib: v2.0.2, v2.0.3
rack-protection: v2.0.2, v2.0.3
What is the difference between v2.0.3 and v2.0.2 ?
In sinatra-contrib v2.0.2, a critical regression was found for the
Version 2.0.3 fixes the issue by merging a patch sent by author of the
We thank everyone who reported and confirmed the issue.
Find out what’s new in v2.0.2 and v2.0.3 in CHANGELOG.md
Thank you everyone who has contributed over the years to this project, and continues to ensure it lives on. Finally, I am deeply grateful to Shota Iguchi who worked on the v2.0.2 improvement.