According to official Ruby programming language website, multiple vulnerabilities detected in RubyGems.
Multiple vulnerabilities in RubyGems https://t.co/VRhFKsO2im
— Ruby on Rails (@RubyOnRRails) 30 августа 2017 г.
What vulnerabilities are spotted exactly?
The following vulnerabilities have been reported.
- a DNS request hijacking vulnerability
- an ANSI escape sequence vulnerability
- a DoS vulernerability in the query command
- a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files
It is strongly recommended by official Ruby vebsite for Ruby users to use one of the following workarounds as soon as possible.
- Ruby 2.2 series: 2.2.7 and earlier
- Ruby 2.3 series: 2.3.4 and earlier
- Ruby 2.4 series: 2.4.1 and earlier
- prior to trunk revision 59672
How to solve this issues?
Don't panic! At the moment, there are no Ruby releases including the fix for RubyGems. But you can upgrade RubyGems to the latest version. RubyGems 2.6.13 or later includes the fix for the vulnerabilities.
gem update --system
If you can’t upgrade RubyGems, you can apply the following patches as a workaround.
- for Ruby 2.2.7
- for Ruby 2.3.4
- for Ruby 2.4.1: need 2 patches. Apply sequentially as follows:
- RubyGems 2.6.11 to 2.6.12
- RubyGems 2.6.12 to 2.6.13
About the trunk, update to the latest revision.
Learn more at official Ruby website.