Wednesday, August 30, 2017

Security Issue: RubyGems

Ruby project has published a security advisory due to multiple moderate-severity vulnerabilities in RubyGems bundled by Ruby. The reported issues are:
  • A DNS request hijacking vulnerability
  • An ANSI escape sequence vulnerability
  • A DoS vulnerability in the query command
  • A vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files

The following versions are affected:
  • Ruby 2.2.7 and earlier
  • Ruby 2.3.4 and earlier
  • Ruby 2.4.1 and earlier

At this time, there are no Ruby releases with the fix for RubyGems. It is strongly recommended to apply one of the following workarounds:
  • Upgrade RubyGems to the latest version (2.6.13) by executing:
     $ gem update --system 
  • Apply the patch for your version:

You can find more info about this issue in the links below:

RubyGems project
Hacker News

If you have further questions about Ruby or this security issue, please post to our community forums and we will be happy to help you.

No comments:

Post a Comment

Please use our community forum if you have any questions