Gem 在 RubyGems 中发现多个漏洞 [ Multiple vulnerabilities in RubyGems ]。

tesla_lee · 发布于 2017年08月30日 · 最后由 lithium4010 回复于 2017年08月31日 · 265 次阅读
57846d

以下是官方播客文章: 原文链接

There are multiple vulnerabilities in RubyGems bundled by Ruby. It is reported at the official blog of RubyGems.

Details

The following vulnerabilities have been reported.

  • a DNS request hijacking vulnerability
  • an ANSI escape sequence vulnerability
  • a DoS vulernerability in the query command
  • a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files

It is strongly recommended for Ruby users to take one of the following workarounds as soon as possible.

Affected Versions

  • Ruby 2.2 series: 2.2.7 and earlier
  • Ruby 2.3 series: 2.3.4 and earlier
  • Ruby 2.4 series: 2.4.1 and earlier
  • prior to trunk revision 59672

Workarounds

At this moment, there are no Ruby releases including the fix for RubyGems. But you can upgrade RubyGems to the latest version. RubyGems 2.6.13 or later includes the fix for the vulnerabilities.

gem update --system

If you can’t upgrade RubyGems, you can apply the following patches as a workaround.

About the trunk, update to the latest revision.

Credits

This report is based on the official blog of RubyGems.

History

Originally published at 2017-08-29 12:00:00 UTC

共收到 1 条回复
8744

使用 docker 镜像如何处理?

需要 登录 后方可回复, 如果你还没有账号请点击这里 注册