Multiple vulnerabilities in RubyGems

There are multiple vulnerabilities in RubyGems bundled by Ruby. It is reported at the official blog of RubyGems.

Details

The following vulnerabilities have been reported.

  • a DNS request hijacking vulnerability. (CVE-2017-0902)
  • an ANSI escape sequence vulnerability. (CVE-2017-0899)
  • a DoS vulnerability in the query command. (CVE-2017-0900)
  • a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. (CVE-2017-0901)

It is strongly recommended for Ruby users to upgrade or take one of the following workarounds as soon as possible.

Affected Versions

  • Ruby 2.2 series: 2.2.7 and earlier
  • Ruby 2.3 series: 2.3.4 and earlier
  • Ruby 2.4 series: 2.4.1 and earlier
  • prior to trunk revision 59672

Workarounds

If you can’t upgrade Ruby itself, upgrade RubyGems to the latest version. RubyGems 2.6.13 or later includes the fix for the vulnerabilities.

gem update --system

If you can’t upgrade RubyGems, you can apply the following patches as a workaround.

About the trunk, update to the latest revision.

Credits

This report is based on the official blog of RubyGems.

History

  • Originally published at 2017-08-29 12:00:00 UTC
  • Added CVE numbers at 2017-08-31 2:00:00 UTC
  • Mention about upgrading Rubies at 2017-09-15 12:00:00 UTC