Back to blog posts
25 Aug 2011
by fred, the rubygems robot
RubyGems 1.8.10 contains a security fix that prevents malicious gems from executing code when their specification is loaded. See https://github.com/rubygems/rubygems/pull/165 for details.
5 bug fixes:
- RubyGems escapes strings in ruby-format specs using #dump instead of #to_s and %q to prevent code injection. Issue #165 by Postmodern
- RubyGems attempt to activate the psych gem now to obtain bugfixes from psych.
- Gem.dir has been restored to the front of Gem.path. Fixes remaining problem with Issue #115
- Fixed Syck DefaultKey infecting ruby-format specifications.
gem uninstall a bno longer stops if gem “a” is not installed.