|
|
|
|
|
|
by jfirebaugh
5169 days ago
|
|
|
RubyGems 1.8.23 is also out with the same fix. Two security issues were fixed: * RubyGems did not validate SSL certificates (the dreaded OpenSSL::SSL::VERIFY_NONE problem). * RubyGems allowed HTTPS-to-HTTP redirects. And in fact rubygems.org did redirect gem downloads from HTTPS to HTTP (also fixed). Either of these mean that an attacker could MITM your `gem install` or `bundle install` and give you malicious gem contents. You'd be owned when you required the gem -- possibly sooner, in fact, because gem install itself provides mechanisms for arbitrary code execution. It's also important to note that RubyGems does not default to HTTPS. I highly recommend using `source "https://rubygems.org` in your Gemfile and the following in your ~/.gemrc: :sources:
- https://rubygems.org
|
|
|