This help site has been deprecated. Please send your requests to support@rubygems.org
Security vulnerabilities announced August 27, 2017
Do you have any more information about the attack vectors?
This document — http://blog.rubygems.org/2017/08/27/2.6.13-released.html — is disappointingly vague.
In particular, are the vulnerabilities in specific gems themselves?
I don't understand the nature of the vulnerabilities, because AFAIK, rubygems operates only when bundler installs gems.
I suppose one attack vector would be to hijack the bundler process, so when your app goes to build gems in the build process, it installs malicious code instead of the code it is supposed to install?
The security announcement is suspiciously vague as to the attack vectors here, which is why I'm asking.
Can a follow-up announcement be published describing the attack vectors, please?
thanks,
Jason
Discussions are closed to public comments.
If you need help with RubyGems.org please
start a new discussion.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
1 Posted by Jason Fleetwood... on 31 Aug, 2017 06:17 PM
I found what I was looking for here https://github.com/rubygems/rubygems/compare/v2.6.12...v2.6.13
nonetheless, I still think security announcement should include descriptions of attack vectors.
But what I'm looking for is in the commit messages themselves, so I'm good.
Thanks
Support Staff 2 Posted by indirect on 31 Aug, 2017 10:28 PM
Thanks for the feedback.
indirect closed this discussion on 31 Aug, 2017 10:28 PM.