The H-Security: The Ruby development team has published an update to the 1.9.3 series of its open source programming language to fix a vulnerability found in the RubyGems package management framework.
The maintenance release of the scripting language, labelled 1.9.3-p194, updates RubyGems to close a security hole that caused SSL server verification to fail for remote repositories. This has been addressed by disallowing redirects from https to http connections and by enabling the verification of server SSL certificates in an updated version of RubyGems, 1.8.23; more details on these issues are provided in the latest RubyGems History file. The developers encourage those who use https source in .gemrc
or /etc/gemrc
to upgrade as soon as possible.
Further information about the update, including a full list of bug fixes, can be found in the official release announcement and in the change log. Ruby 1.9.3-p194 is available to download from the project’s site, and is distributed under either the Ruby Licence or the GPL.
The developers have also released an update to the 1.9.2 branch of Ruby (1.9.2-p320) to correct the RubyGems security problem.