August 30, 2017 - RubyGems security vulnerability

Important

This vulnerability and its suggested fix have been superseded by the March 2019 Security Advisories. Please refer to that article for recommended versions and resolution actions rather than following this article.

 

Rubygems 2.6.13 has been released to address multiple vulnerabilities:

  • A DNS request hijacking vulnerability
  • An ANSI escape sequence vulnerability
  • A DOS vulernerability in the query command
  • A vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files

Solution

Temporary solutions for the V4 (Gentoo 12.11) and V5 (Gentoo 16.06) stacks are available. We are working on updating these stacks for a more permanent solution.

Engine Yard Gentoo 12.11 (stable-v4)

Make use of this custom chef recipe: https://github.com/engineyard/ey-cloud-recipes/tree/rubygems-update/cookbooks/rubygems-update/recipes

Please refer to this KnowledgeBase article if you need help in getting started with V4 custom chef recipes.

Engine Yard Gentoo 16.06 (stable-v5)

Add this block to the end of cookbooks/ey-custom/recipes/after-main.rb:

execute "Update to rubygems 2.6.13" do
  command "gem install -v 2.6.13 rubygems-update && update_rubygems"
end

Please refer to https://github.com/engineyard/ey-cookbooks-stable-v5#usage if you need help in getting started with V5 custom chef recipes.

Note

The default version of bundler installed by the deploy process (1.7.9) has compatibility issues with the new version of RubyGems. Should you see issues with installation of gems on the deploy following the RubyGems upgrade, please upgrade the version of bundler from the default by adding a newer version (>1.13.0 is recommended) to your Gemfile, then re-bundling and re-deploying.

Comments

Please sign in to leave a comment.

Powered by Zendesk