From secunia: Description A security issue has been reported in RubyGems, which can be exploited by malicious people to conduct spoofing attacks. The security issue is caused due to an error when verifying SSL certificates and may allow spoofing a remote repository via e.g. Man-in-the-Middle (MitM) attacks. The security issue is reported in versions prior to 1.9.3-p194. Solution Update to version 1.9.3-p194.
(In reply to comment #0) > Solution > Update to version 1.9.3-p194. Probably not since we unbundle rubygems. We should upgrade to a newer rubygems version instead, 1.8.23 is mentioned in the ruby 1.9.3 release message.
dev-ruby/rubygems-1.8.23 is now in the tree.
We should test this version in the tree for at least a week before considering stabilization. Also, we need a newer jruby version stable first, see bug 396305.
(In reply to comment #3) > We should test this version in the tree for at least a week before > considering stabilization. Also, we need a newer jruby version stable first, > see bug 396305. jruby 1.6.5.1 has been stabilized. Is =dev-ruby/rubygems-1.8.23 fixed and are we ready to stabilize it here now? Tnx.
(In reply to comment #4) > (In reply to comment #3) > > We should test this version in the tree for at least a week before > > considering stabilization. Also, we need a newer jruby version stable first, > > see bug 396305. > > jruby 1.6.5.1 has been stabilized. Is =dev-ruby/rubygems-1.8.23 fixed and > are we ready to stabilize it here now? Tnx. rubygems 1.8.23 is fixed, so potentially it can be stabilized, but I want to coordinate this with stabilization of ruby 1.9. Also, rubygems 1.8.x was a big step compared to our previous stable version (e.g. obsoleting the gems.eclass ebuilds) so I wanted to stable a proven version first. I'll try to put together the stabilization bugs for this in the weekend.
Hans, @ruby, a friendly ping on this. Shall we move forward with stabilization? I suspect bug 348901 may have fixed/tracked any blockers? And we'll target 1.8.24, right? Thanks much.
(In reply to comment #6) > Hans, @ruby, a friendly ping on this. Shall we move forward with > stabilization? I suspect bug 348901 may have fixed/tracked any blockers? And > we'll target 1.8.24, right? Thanks much. I've just added arches to bug 411507 which asks for ruby 1.9 stabilization and includes rubygems 1.8.24.
Thanks, everyone. GLSA vote: no.
Thanks, folks. GLSA Vote: no too, closing noglsa.
CVE-2012-2126 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2126): RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack. CVE-2012-2125 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2125): RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack.
