Security vulnerabilities announced August 27, 2017

Jason Fleetwood-Boldt's Avatar

Jason Fleetwood-Boldt

31 Aug, 2017 06:02 PM

Do you have any more information about the attack vectors?

This document — http://blog.rubygems.org/2017/08/27/2.6.13-released.html — is disappointingly vague.

In particular, are the vulnerabilities in specific gems themselves?

I don't understand the nature of the vulnerabilities, because AFAIK, rubygems operates only when bundler installs gems.

I suppose one attack vector would be to hijack the bundler process, so when your app goes to build gems in the build process, it installs malicious code instead of the code it is supposed to install?

The security announcement is suspiciously vague as to the attack vectors here, which is why I'm asking.

Can a follow-up announcement be published describing the attack vectors, please?

thanks,
Jason

  1. 1 Posted by Jason Fleetwood... on 31 Aug, 2017 06:17 PM

    Jason Fleetwood-Boldt's Avatar

    I found what I was looking for here https://github.com/rubygems/rubygems/compare/v2.6.12...v2.6.13

    nonetheless, I still think security announcement should include descriptions of attack vectors.

    But what I'm looking for is in the commit messages themselves, so I'm good.

    Thanks

  2. Support Staff 2 Posted by indirect on 31 Aug, 2017 10:28 PM

    indirect's Avatar

    Thanks for the feedback.

  3. indirect closed this discussion on 31 Aug, 2017 10:28 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac