Skip to archived posts

1.8.10 Released

published 25 Aug 2011

RubyGems 1.8.10 contains a security fix that prevents malicious gems from executing code when their specification is loaded. See https://github.com/rubygems/rubygems/pull/165 for details.

  • 5 bug fixes:
  • RubyGems escapes strings in ruby-format specs using #dump instead of #to_s and %q to prevent code injection. Issue #165 by Postmodern
  • RubyGems attempt to activate the psych gem now to obtain bugfixes from psych.
  • Gem.dir has been restored to the front of Gem.path. Fixes remaining problem with Issue #115
  • Fixed Syck DefaultKey infecting ruby-format specifications.
  • gem uninstall a b no longer stops if gem “a” is not installed.

fred, the rubygems robot fred, the rubygems robot