Wednesday, August 30, 2017

Security Issue: RubyGems

Ruby project has published a security advisory due to multiple moderate-severity vulnerabilities in RubyGems bundled by Ruby. The reported issues are:
  • A DNS request hijacking vulnerability
  • An ANSI escape sequence vulnerability
  • A DoS vulnerability in the query command
  • A vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files

The following versions are affected:
  • Ruby 2.2.7 and earlier
  • Ruby 2.3.4 and earlier
  • Ruby 2.4.1 and earlier

At this time, there are no Ruby releases with the fix for RubyGems. It is strongly recommended to apply one of the following workarounds:
  • Upgrade RubyGems to the latest version (2.6.13) by executing:
     $ gem update --system 
  • Apply the patch for your version:

You can find more info about this issue in the links below:

RubyGems project
Hacker News

If you have further questions about Ruby or this security issue, please post to our community forums and we will be happy to help you.