====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN239
_____________________________________________________________________

DATE                : 04/09/2017

HARDWARE PLATFORM(S):  /

OPERATING SYSTEM(S): Systems running Ruby versions 2.2, 2.3, 2.4 prior
                                  to trunk revision 59672.

=====================================================================
http://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
____________________________________________________________________


Multiple vulnerabilities in RubyGems

Posted by usa on 29 Aug 2017

There are multiple vulnerabilities in RubyGems bundled by Ruby. It is
reported at the official blog of RubyGems.
Details

The following vulnerabilities have been reported.

    a DNS request hijacking vulnerability. (CVE-2017-0902)
    an ANSI escape sequence vulnerability. (CVE-2017-0899)
    a DoS vulnerability in the query command. (CVE-2017-0900)
    a vulnerability in the gem installer that allowed a malicious gem to
overwrite arbitrary files. (CVE-2017-0901)

It is strongly recommended for Ruby users to take one of the following
workarounds as soon as possible.
Affected Versions

    Ruby 2.2 series: 2.2.7 and earlier
    Ruby 2.3 series: 2.3.4 and earlier
    Ruby 2.4 series: 2.4.1 and earlier
    prior to trunk revision 59672

Workarounds

At this moment, there are no Ruby releases including the fix for
RubyGems. But you can upgrade RubyGems to the latest version. RubyGems
2.6.13 or later includes the fix for the vulnerabilities.

gem update --system

If you can’t upgrade RubyGems, you can apply the following patches as a
workaround.

    for Ruby 2.2.7
    for Ruby 2.3.4
    for Ruby 2.4.1: need 2 patches. Apply sequentially as follows:
        RubyGems 2.6.11 to 2.6.12
        RubyGems 2.6.12 to 2.6.13

About the trunk, update to the latest revision.
Credits

This report is based on the official blog of RubyGems.
History

    Originally published at 2017-08-29 12:00:00 UTC
    Added CVE numbers at 2017-08-31 2:00:00 UTC


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================