RubyGems Navigation menu


Back to blog posts

2.6.13 Released

RubyGems 2.6.13 includes security fixes.

To update to the latest RubyGems you can run:

gem update --system

If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page.

Security fixes:

  • Fix a DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins. (CVE-2017-0902)
  • Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh, fix by Evan Phoenix. (CVE-2017-0899)
  • Fix a DOS vulernerability in the query command. Discovered by Yusuke Endoh, fix by Samuel Giddins. (CVE-2017-0900)
  • Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel Giddins. (CVE-2017-0901)

As always, please report any security issues discovered in RubyGems to the RubyGems project on HackerOne.

SHA256 Checksums:

  • rubygems-2.6.13.tgz
  • rubygems-update-2.6.13.gem
Samuel Giddins