RubyGems Navigation menu

Blog

Back to blog posts

2.7.6 Released

RubyGems 2.7.6 includes security fixes.

To update to the latest RubyGems you can run:

gem update --system

If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page.

Security fixes:

  • Prevent path traversal when writing to a symlinked basedir outside of the root. Discovered by nmalkin and David Fifield, fixed by Jonathan Claudius and Samuel Giddins.
  • Fix possible Unsafe Object Deserialization Vulnerability in gem owner. Fixed by Jonathan Claudius.
  • Strictly interpret octal fields in tar headers. Discoved by plover, fixed by Samuel Giddins.
  • Raise a security error when there are duplicate files in a package. Discovered by plover, fixed by Samuel Giddins.
  • Enforce URL validation on spec homepage attribute. Discovered by Yasin Soliman, fixed by Jonathan Claudius.
  • Mitigate XSS vulnerability in homepage attribute when displayed via gem server. Discovered by Yasin Soliman, fixed by Jonathan Claudius.
  • Prevent Path Traversal issue during gem installation. Discovered by nmalkin and David Fifield.

SHA256 Checksums:

  • rubygems-2.7.6.tgz
    67f714a582a9ce471bbbcb417374ea9cf9c061271c865dbb0d093f3bc3371eeb
  • rubygems-2.7.6.zip
    d6faa4cdde966db45f3e8d9d517f13bad511f7f0042b448688513ab4fb92d598
  • rubygems-update-2.7.6.gem
    ee5ef219ac97f5499c31e6071eae424c3265620ece33b5cc66e09fa30f22086a
Samuel Giddins