August 30, 2017 - RubyGems security vulnerability

Rubygems 2.6.13 has been released to address multiple vulnerabilities:

  • A DNS request hijacking vulnerability
  • An ANSI escape sequence vulnerability
  • A DOS vulernerability in the query command
  • A vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files

Solution

Temporary solutions for the V4 (Gentoo 12.11) and V5 (Gentoo 16.06) stacks are available. We are working on updating these stacks for a more permanent solution.

Engine Yard Gentoo 12.11 (stable-v4)

Make use of this custom chef recipe: https://github.com/engineyard/ey-cloud-recipes/tree/rubygems-update/cookbooks/rubygems-update/recipes

Engine Yard Gentoo 16.06 (stable-v5)

Add this block to the end of cookbooks/ey-custom/recipes/after-main.rb:

execute "Update to rubygems 2.6.13" do
  command "gem install -v 2.6.13 rubygems-update && update_rubygems"
end

Note

The default version of bundler installed by the deploy process (1.7.9) has compatibility issues with the new version of RubyGems. Should you see issues with installation of gems on the deploy following the RubyGems upgrade, please upgrade the version of bundler from the default by adding a newer version (>1.13.0 is recommended) to your Gemfile, then re-bundling and re-deploying.