Ruby project has published a security advisory due to multiple moderate-severity vulnerabilities in RubyGems bundled by Ruby. The reported issues are:- A DNS request hijacking vulnerability
- An ANSI escape sequence vulnerability
- A DoS vulnerability in the query command
- A vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files
The following versions are affected:
- Ruby 2.2.7 and earlier
- Ruby 2.3.4 and earlier
- Ruby 2.4.1 and earlier
At this time, there are no Ruby releases with the fix for RubyGems. It is strongly recommended to apply one of the following workarounds:
- Upgrade RubyGems to the latest version (2.6.13) by executing:
$ gem update --system
- Apply the patch for your version:
You can find more info about this issue in the links below:
RubyGems project
Hacker News
If you have further questions about Ruby or this security issue, please post to our community forums and we will be happy to help you.