Ruby Fixes RubyGems Security

Monday, April 23, 2012 @ 10:04 AM gHale


The Ruby development team issued an update to the 1.9.3 series of its open source programming language to fix a vulnerability found in the RubyGems package management framework.

The maintenance release of the scripting language, labelled 1.9.3-p194, updates RubyGems to close a security hole that caused SSL server verification to fail for remote repositories.

RELATED STORIES
OpenSSL Closes Security Holes
Python Updates Hash Collision
OpenSSL Not Completely Secure
Oracle Patches DoS Hole

The update fixes it by disallowing redirects from https to http connections and by enabling the verification of server SSL certificates in an updated version of RubyGems, 1.8.23; more details on these issues are in the latest RubyGems History file. The developers encourage those who use https source in .gemrc or /etc/gemrc to upgrade as soon as possible.

Further information about the update, including a full list of bug fixes, look at the official release announcement and in the change log. Ruby 1.9.3-p194 is available to download from the project’s site.



Leave a Reply

You must be logged in to post a comment.