Blog
Back to blog posts
15 Feb 2018
2.7.6 Released
by Samuel Giddins
RubyGems 2.7.6 includes security fixes.
To update to the latest RubyGems you can run:
gem update --system
If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page.
Security fixes:
- Prevent path traversal when writing to a symlinked basedir outside of the root. Discovered by nmalkin and David Fifield, fixed by Jonathan Claudius and Samuel Giddins.
- Fix possible Unsafe Object Deserialization Vulnerability in gem owner. Fixed by Jonathan Claudius.
- Strictly interpret octal fields in tar headers. Discoved by plover, fixed by Samuel Giddins.
- Raise a security error when there are duplicate files in a package. Discovered by plover, fixed by Samuel Giddins.
- Enforce URL validation on spec homepage attribute. Discovered by Yasin Soliman, fixed by Jonathan Claudius.
- Mitigate XSS vulnerability in homepage attribute when displayed via
gem server. Discovered by Yasin Soliman, fixed by Jonathan Claudius. - Prevent Path Traversal issue during gem installation. Discovered by nmalkin and David Fifield.
SHA256 Checksums:
- rubygems-2.7.6.tgz
67f714a582a9ce471bbbcb417374ea9cf9c061271c865dbb0d093f3bc3371eeb - rubygems-2.7.6.zip
d6faa4cdde966db45f3e8d9d517f13bad511f7f0042b448688513ab4fb92d598 - rubygems-update-2.7.6.gem
ee5ef219ac97f5499c31e6071eae424c3265620ece33b5cc66e09fa30f22086a