RubyGems Navigation menu

Blog

Back to blog posts

1.8.10 Released

RubyGems 1.8.10 contains a security fix that prevents malicious gems from executing code when their specification is loaded. See https://github.com/rubygems/rubygems/pull/165 for details.

  • 5 bug fixes:

    • RubyGems escapes strings in ruby-format specs using #dump instead of #to_s and %q to prevent code injection. Issue #165 by Postmodern
    • RubyGems attempt to activate the psych gem now to obtain bugfixes from psych.
    • Gem.dir has been restored to the front of Gem.path. Fixes remaining problem with Issue #115
    • Fixed Syck DefaultKey infecting ruby-format specifications.
    • gem uninstall a b no longer stops if gem “a” is not installed.
fred, the rubygems robot