Crystal 1.19.2 is released!

Julien Portalier
API Docs Changelog Source

Highlights

We are announcing a new Crystal release 1.19.2 with two regressions fixed.

See the release notes of 1.19.0 for all the changes introduced in Crystal 1.19.

Pre-built packages are available on GitHub Releases and our official distribution channels. See crystal-lang.org/install for installation instructions.

Stats

This release includes 3 changes since 1.19.1 by 2 contributors. We thank all the contributors for all the effort put into improving the language! ❤️

Changes

Security

HTTP::Server accepted requests containing both Content-Length and Transfer-Encoding headers and prioritized Content-Length. This allowed HTTP request smuggling as per CWE-444 when the server is behind a vulnerable frontend. Refer to the advisory for more details.

HTTP::Server now rejects requests where both headers are present. The HTTP parser now ignores Content-Length when the Transfer-Encoding header is present (commit c948b31).

Regressions

This patch release fixes a regression in Range#sample (#16866) that could eventually lose randomness.

For more details, visit the full changelog.

Thanks

We have been able to do all of this thanks to the continued support of 84codes and every other sponsor. To maintain and increase the development pace, donations and sponsorships are essential. OpenCollective is available for that.

Reach out to crystal@manas.tech if you’d like to become a direct sponsor or find other ways to support Crystal. We thank you in advance!

Contribute