RubyGems Navigation menu


Back to blog posts

2.6.13 Released

RubyGems 2.6.13 includes security fixes.

To update to the latest RubyGems you can run:

gem update --system

If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page.

Security fixes:

  • Fix a DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins.
  • Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh, fix by Evan Phoenix.
  • Fix a DOS vulernerability in the query command. Discovered by Yusuke Endoh, fix by Samuel Giddins.
  • Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel Giddins.

As always, please report any security issues discovered in RubyGems to the RubyGems project on HackerOne.

SHA256 Checksums:

  • rubygems-2.6.13.tgz
  • rubygems-update-2.6.13.gem
Samuel Giddins