Back to blog posts
27 Aug 2017
by Samuel Giddins
RubyGems 2.6.13 includes security fixes.
To update to the latest RubyGems you can run:
gem update --system
If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page.
- Fix a DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins. (CVE-2017-0902)
- Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh, fix by Evan Phoenix. (CVE-2017-0899)
- Fix a DOS vulernerability in the
querycommand. Discovered by Yusuke Endoh, fix by Samuel Giddins. (CVE-2017-0900)
- Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel Giddins. (CVE-2017-0901)
As always, please report any security issues discovered in RubyGems to the RubyGems project on HackerOne.