RubyGems Navigation menu

Blog

Back to blog posts

2.6.13 Released

RubyGems 2.6.13 includes security fixes.

To update to the latest RubyGems you can run:

gem update --system

If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page.

Security fixes:

  • Fix a DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins.
  • Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh, fix by Evan Phoenix.
  • Fix a DOS vulernerability in the query command. Discovered by Yusuke Endoh, fix by Samuel Giddins.
  • Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel Giddins.

As always, please report any security issues discovered in RubyGems to the RubyGems project on HackerOne.

SHA256 Checksums:

  • rubygems-2.6.13.tgz
    d041502ae77e8d49e0a436483fb91f9ad6cc1489e49e0735e7c4a7cf10e728c9
  • rubygems-2.6.13.zip
    08011f0d41b5cd2e49a134bc24183476983bfe14be4cc3a630ab21fe1d3817fd
  • rubygems-update-2.6.13.gem
    20abbf7754b82c46aacf12c831339870f4cd1ec069d256d338f1041298badda9
Samuel Giddins