RubyGems Navigation menu

Blog

Back to blog posts

2.6.13 Released

RubyGems 2.6.13 includes security fixes.

To update to the latest RubyGems you can run:

gem update --system

If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page.

Security fixes:

  • Fix a DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins. (CVE-2017-0902)
  • Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh, fix by Evan Phoenix. (CVE-2017-0899)
  • Fix a DOS vulernerability in the query command. Discovered by Yusuke Endoh, fix by Samuel Giddins. (CVE-2017-0900)
  • Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel Giddins. (CVE-2017-0901)

As always, please report any security issues discovered in RubyGems to the RubyGems project on HackerOne.

SHA256 Checksums:

  • rubygems-2.6.13.tgz
    d041502ae77e8d49e0a436483fb91f9ad6cc1489e49e0735e7c4a7cf10e728c9
  • rubygems-2.6.13.zip
    08011f0d41b5cd2e49a134bc24183476983bfe14be4cc3a630ab21fe1d3817fd
  • rubygems-update-2.6.13.gem
    20abbf7754b82c46aacf12c831339870f4cd1ec069d256d338f1041298badda9
Samuel Giddins