Back to blog posts
15 Feb 2018
by Samuel Giddins
RubyGems 2.7.6 includes security fixes.
To update to the latest RubyGems you can run:
gem update --system
If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page.
- Prevent path traversal when writing to a symlinked basedir outside of the root. Discovered by nmalkin and David Fifield, fixed by Jonathan Claudius and Samuel Giddins.
- Fix possible Unsafe Object Deserialization Vulnerability in gem owner. Fixed by Jonathan Claudius.
- Strictly interpret octal fields in tar headers. Discoved by plover, fixed by Samuel Giddins.
- Raise a security error when there are duplicate files in a package. Discovered by plover, fixed by Samuel Giddins.
- Enforce URL validation on spec homepage attribute. Discovered by Yasin Soliman, fixed by Jonathan Claudius.
- Mitigate XSS vulnerability in homepage attribute when displayed via
gem server. Discovered by Yasin Soliman, fixed by Jonathan Claudius.
- Prevent Path Traversal issue during gem installation. Discovered by nmalkin and David Fifield.