tag:help.rubygems.org,2010-01-19:/discussions/questions/11211-security-vulnerabilities-announced-august-27-2017RubyGems.org: Discussion 2017-08-31T22:28:22Ztag:help.rubygems.org,2010-01-19:Comment/433337232017-08-31T18:02:08Z2017-08-31T18:02:09ZSecurity vulnerabilities announced August 27, 2017<div><p>Do you have any more information about the attack vectors?</p>
<p>This document — <a href="http://blog.rubygems.org/2017/08/27/2.6.13-released.html">http://blog.rubygems.org/2017/08/27/2.6.13-released.html</a> — is disappointingly vague.</p>
<p>In particular, are the vulnerabilities in specific gems themselves?</p>
<p>I don't understand the nature of the vulnerabilities, because AFAIK, rubygems operates only when bundler installs gems.</p>
<p>I suppose one attack vector would be to hijack the bundler process, so when your app goes to build gems in the build process, it installs malicious code instead of the code it is supposed to install?</p>
<p>The security announcement is suspiciously vague as to the attack vectors here, which is why I'm asking.</p>
<p>Can a follow-up announcement be published describing the attack vectors, please?</p>
<p>thanks,<br>
Jason</p></div>Jason Fleetwood-Boldttag:help.rubygems.org,2010-01-19:Comment/433337232017-08-31T18:17:32Z2017-08-31T18:17:34ZSecurity vulnerabilities announced August 27, 2017<div><p>I found what I was looking for here <a href="https://github.com/rubygems/rubygems/compare/v2.6.12...v2.6.13">https://github.com/rubygems/rubygems/compare/v2.6.12...v2.6.13</a></p>
<p>nonetheless, I still think security announcement should include descriptions of attack vectors.</p>
<p>But what I'm looking for is in the commit messages themselves, so I'm good.</p>
<p>Thanks</p></div>Jason Fleetwood-Boldttag:help.rubygems.org,2010-01-19:Comment/433337232017-08-31T22:28:20Z2017-08-31T22:28:20ZSecurity vulnerabilities announced August 27, 2017<div><p>Thanks for the feedback.</p></div>indirect