Crystal 1.20.3 is released!
Highlights
We are announcing a new Crystal release 1.20.3 with fixes for two security
vulnerabilities in the YAML parsers. We recommend upgrading as soon as
possible if your application processes YAML files from unknown origins.
See the release notes of 1.20.0 for all the changes introduced in Crystal 1.20.
Pre-built packages are available on GitHub Releases and our official distribution channels. See crystal-lang.org/install for installation instructions.
Stats
Section titled StatsThis release includes 2 security fixes and 1 refactor since 1.20.2 by 1 contributor. We thank all the contributors for all the effort put into improving the language! ❤️
Changes
Section titled ChangesLimit max nesting of sequences of mappings in YAML parsers
Section titled Limit max nesting of sequences of mappings in YAML parsersThe YAML parsers use recursion to parse sequences and mappings but didn’t
limit how deep they could be nested. A deeply nested YAML document could lead to
stack overflows (#17107).
- Add
max_nestingtoYAML::PullParser(#17107)
Thanks, @ysbaddaden
Prevent excessive expansion of aliases in YAML parsers
Section titled Prevent excessive expansion of aliases in YAML parsersThe YAML parsers were vulnerable to the billion laughs attack when expanding
aliases, growing the document from 100 nodes to over 1 billion nodes for
example. The parser had no issues parsing the document, but any attempt to walk
the stack could walk the same nodes over and over, quickly slowing down
applications.
- Add alias vs anchor ratio check to
YAML::PullParser(#17109) - Memoize anchor name in
YAML::PullParser(#17108)
Thanks, @ysbaddaden
For more details, visit the full changelog.
We have been able to do all of this thanks to the continued support of 84codes and every other sponsor. To maintain and increase the development pace, donations and sponsorships are essential. OpenCollective is available for that.
Reach out to crystal@manas.tech if you’d like to become a direct sponsor or find other ways to support Crystal. We thank you in advance!
Contribute