Multiple vulnerabilities detected in RubyGems

Ruby 2.2 series: 2.2.7 and earlier; Ruby 2.3 series: 2.3.4 and earlier and Ruby 2.4 series: 2.4.1 and earlier are effected
30 August 2017   1173

According to official Ruby programming language website, multiple vulnerabilities detected in RubyGems.

What vulnerabilities are spotted exactly?

The following vulnerabilities have been reported.

  • a DNS request hijacking vulnerability
  • an ANSI escape sequence vulnerability
  • a DoS vulernerability in the query command
  • a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files

It is strongly recommended by official Ruby vebsite for Ruby users to use one of the following workarounds as soon as possible.

Affected Versions

  • Ruby 2.2 series: 2.2.7 and earlier
  • Ruby 2.3 series: 2.3.4 and earlier
  • Ruby 2.4 series: 2.4.1 and earlier
  • prior to trunk revision 59672

How to solve this issues?

Don't panic! At the moment, there are no Ruby releases including the fix for RubyGems. But you can upgrade RubyGems to the latest version. RubyGems 2.6.13 or later includes the fix for the vulnerabilities.

gem update --system

If you can’t upgrade RubyGems, you can apply the following patches as a workaround.

  • for Ruby 2.2.7
  • for Ruby 2.3.4
  • for Ruby 2.4.1: need 2 patches. Apply sequentially as follows:
    1. RubyGems 2.6.11 to 2.6.12
    2. RubyGems 2.6.12 to 2.6.13

About the trunk, update to the latest revision.

Learn more at official Ruby website

RubyMine 2018.2 to be Released

Great news for Ruby developers - new version of popular IDE available now
27 July 2018   196

Major summer update of the integrated development environment RubyMine from JetBrains under the number 2018.2 released. Among the innovations - improving the work with the code, support for new version managers, re-testing only for failed tests and much more.

Code analysis

The new version of IDE has received an improved type inference that allows to better read the types of elements in blocks, arrays and hashes. This feature improves code autocompletion and navigation throughout the project:

Element CompletionElement Completion

In addition, RubyMine now correctly recognizes models using polymorphic associations, and offers them full support for "smart" functions.

Version Managers

The updated development environment now supports chruby and asdf. Moreover, now all version managers are available in WSL, Docker, SSH and other remote connections.

Testing

RubyMine 2018.2 allows you to retest only those tests that have not been tested. According to the developers, this frees the user from manually viewing each failed check. The new function also works with the rake test and rake spec presets:

Rerun Failed Tests
Rerun Failed Tests

YAML

In this update, developers paid attention to the YAML data serialization format. Now its code can be formatted directly in the IDE and use all the functions of autocomplete and navigation by code. Moreover, the new version of RubyMine provides automatic filling of YAML data structures that have JSON Schema files, and the ability to copy / paste the key path to the value in .yml files.

Git

Support for version control in RubyMine 2018.2 has received several new features:

  • files with a merge conflict are now grouped in a separate node;
  • a new action Browse Repository at Revision allows you to examine the state of the repository after each revision;
  • It was possible to skip the Push action during the Commit and Push command or use it only for protected branches;
  • you can connect an unlimited number of accounts to GitHub and select the main one for each project.

Other improvements

In addition to general performance improvements, the new version of IDE brought new icons, a dark theme for MacOS, support for the Touch Bar, improved support for JS, TypeScript and CoffeeScript, which you can see in the overview of the WebStorm 2018.2 IDE update, and connect the debugger to remote processes without having to reboot .