Today we’re disclosing several vulnerablities to RubyGems. They have all been reported via hackerone. We strongly recommend to upgrade the latest stable version of RubyGems 3.0.3 or 2.7.8. If you can’t upgrade RubyGems 2.7 or 3.0, please use this patch for RubyGems 2.6. The following vulnerabilities have been reported. CVE-2019-8320: Delete directory using symlink when decompressing tar CVE-2019-8321: Escape sequence injection vulnerability in verbose CVE-2019-8322: Escape sequence injection vulnerability in gem owner CVE-2019-8323: Escape sequence injection vulnerability in API response handling CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution CVE-2019-8325: Escape sequence injection vulnerability in errors
Fixed versions rubygems-2.7.9 and rubygems-3.0.3 have been added.
amd64 stable
sparc stable
x86 stable
arm stable
ia64 stable
s390 stable
ppc stable
ppc64 stable
hppa stable
alpha stable
@maintainer, please drop vulnerable.
cleanup done.