Multiple vulnerabilities detected in RubyGems

Ruby 2.2 series: 2.2.7 and earlier; Ruby 2.3 series: 2.3.4 and earlier and Ruby 2.4 series: 2.4.1 and earlier are effected
30 August 2017   2293

According to official Ruby programming language website, multiple vulnerabilities detected in RubyGems.

What vulnerabilities are spotted exactly?

The following vulnerabilities have been reported.

  • a DNS request hijacking vulnerability
  • an ANSI escape sequence vulnerability
  • a DoS vulernerability in the query command
  • a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files

It is strongly recommended by official Ruby vebsite for Ruby users to use one of the following workarounds as soon as possible.

Affected Versions

  • Ruby 2.2 series: 2.2.7 and earlier
  • Ruby 2.3 series: 2.3.4 and earlier
  • Ruby 2.4 series: 2.4.1 and earlier
  • prior to trunk revision 59672

How to solve this issues?

Don't panic! At the moment, there are no Ruby releases including the fix for RubyGems. But you can upgrade RubyGems to the latest version. RubyGems 2.6.13 or later includes the fix for the vulnerabilities.

gem update --system

If you can’t upgrade RubyGems, you can apply the following patches as a workaround.

  • for Ruby 2.2.7
  • for Ruby 2.3.4
  • for Ruby 2.4.1: need 2 patches. Apply sequentially as follows:
    1. RubyGems 2.6.11 to 2.6.12
    2. RubyGems 2.6.12 to 2.6.13

About the trunk, update to the latest revision.

Learn more at official Ruby website

Ruby/RoR News Digest 30.11 - 6.12

Using Rubyfmt with Atom, overpacking as a common Webpacker mistake, RubyConf 2019 Tony Drake's speech and more 
06 December 2019   105

Greetings! I hope your week went great! Here's new Ruby news digest.

Learn about Ruby 2.7's shorthand syntax for argument forwarding, what's new in Ruby 2.7, Ruby 2019 main takeaways from the keynote (as a text) and much more!

Guides

  • Ruby 2.7 Adds Shorthand Syntax for Argument Forwarding 

In Ruby 2.7 you can use the syntax ... in parameter or argument lists to basically ‘pass through’ (or forward) arguments from one method to another

  • Using Rubyfmt with Atom

Rubyfmt is inspired by Go’s gofmt formatting tool and it formats existing Ruby code, and you can set this up as you like 

  • From ActiveRecord Callbacks to Publish/Subscribe Pattern and Event-driven Design

Learn how to move the legacy app from the old design to the new clean way, from activerecord callbacks to event-drive design, in the end

  • Overpacking.. A Common Webpacker Mistake

Learn about the popular Webpacker users' mistake and how to avoid it and save deploy time

  • Ruby - raise Exception.new or raise Exception - they're both the same

Learn why they are the same

Articles

  • What’s New in Ruby 2.7? 

There’s a lot new things coming in 2.7 including controversial stuff like pattern matching, numbered parameters, and keyword argument changes

  • Rubyconf 2019 — Main takeaways from the keynote — Ruby 2.7, 3.0 and the road ahead

If you missed the biggest Ruby event this year - don't worry and check this takeaway

  • A Q&A with Eileen Uchitelle

Interview with staff Software Engineer on the Ruby Architecture Team at GitHub and a member of the Rails Core team.

Video

  • RubyConf 2019 - JRuby: Zero to Scale!  by Charles Oliver Nutter and Thomas E Enebo

  • RubyConf 2019 - Containerizing Local Development... Is It Worth it? by Tony Drake