Multiple vulnerabilities detected in RubyGems

Ruby 2.2 series: 2.2.7 and earlier; Ruby 2.3 series: 2.3.4 and earlier and Ruby 2.4 series: 2.4.1 and earlier are effected
30 August 2017   1605

According to official Ruby programming language website, multiple vulnerabilities detected in RubyGems.

What vulnerabilities are spotted exactly?

The following vulnerabilities have been reported.

  • a DNS request hijacking vulnerability
  • an ANSI escape sequence vulnerability
  • a DoS vulernerability in the query command
  • a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files

It is strongly recommended by official Ruby vebsite for Ruby users to use one of the following workarounds as soon as possible.

Affected Versions

  • Ruby 2.2 series: 2.2.7 and earlier
  • Ruby 2.3 series: 2.3.4 and earlier
  • Ruby 2.4 series: 2.4.1 and earlier
  • prior to trunk revision 59672

How to solve this issues?

Don't panic! At the moment, there are no Ruby releases including the fix for RubyGems. But you can upgrade RubyGems to the latest version. RubyGems 2.6.13 or later includes the fix for the vulnerabilities.

gem update --system

If you can’t upgrade RubyGems, you can apply the following patches as a workaround.

  • for Ruby 2.2.7
  • for Ruby 2.3.4
  • for Ruby 2.4.1: need 2 patches. Apply sequentially as follows:
    1. RubyGems 2.6.11 to 2.6.12
    2. RubyGems 2.6.12 to 2.6.13

About the trunk, update to the latest revision.

Learn more at official Ruby website

Git 2.20 to be Available

Let's check updates and features of new version control system
11 December 2018   469

Distributed version control system Git has received another update. In order for Git 2.20 to appear, 83 developers made changes 962 to the zcode. According to the team, this is an order of magnitude higher than the same figure in the largest release of the 2.x.x branch.

The git branch -l command is now a shortened version of the git branch --list - it used to help run reflog during the creation of a new branch. Developers have limited the launch of git fetch: it is only possible with an indication of --force, to avoid problems with consistency when updating the link.

The git help -a and git help -av commands to help newbies display a more verbose output. To return to the old view, just type git help - no-verbose -a. In git send-email, it is possible to extract lines with addresses that end with “-by” from signatures. This is an incompatible change, and it can be disabled by adding to the --suppress-cc = misc-by command.

  • If the repository contains files whose addresses differ only in the case of letters, a warning will be displayed during the execution of git clone.
  • The git format-patch command received the --interdiff and --range-diff options, which in a note or comment list the differences between the existing and previous versions.
  • git mailinfo learned how to recover code patches sent by email with plain text and damaged due to hyphenation.
  • git multi-pack-index now fixes damage in .midx files.
  • Creating experimental commit-graph files for large repositories takes a lot of time, so the developers have provided a form of output about the state of the process.

Performance and Development Support

  • For working builds, the -Wunused-function compilation option is provided.
  • git submodule update is completely rewritten in C.
  • One of the continuous integration (CI) tests, designed to work with the unusual/experimental/random settings, now supports midx and commit-graph files.
  • A new mechanism for finding objects among a large number of pack-files. It relies on combining all .idx files into one.

The previous version of the system was released in September 2018.