サクサク読めて、アプリ限定の機能も多数!
トップへ戻る
大谷翔平
blog.rubygems.org
The RubyGems Team is happy to share this post from our colleague Ngan Pham, Principle Software Engineer @ Gusto. Thank you, Ngan! Working in a large monolith with many engineers, you never fail to get a flurry of changes everytime you pull from main. Then you have the typical ritual of running bundle install and, if you’re on a Rails application, rails db:prepare. Sometimes, you forget to run bund
Hi all! I’m excited to share a new feature that will help make RubyGems.org more secure, as well as making it easier to automate gem publishing. Inspired by the Python package index, we’re calling it Trusted Publishing. Backstory Over the past few years, we’ve increased the minimum multi-factor authentication (MFA) requirements for accounts that own popular gems. We highly encourage requiring MFA
Attacks on the software supply chain are increasing and our community has not gone unscathed. RubyGems has been affected by supply chain attacks in the past, so it’s important for us to mitigate these risks as much as possible. Recommending stronger security practices like enabling multi-factor authentication (MFA) on popular packages is a first step towards improving the security of the RubyGems
Ever since it was first released, the Bundler team has wanted to know more about the developers out there using our code. What versions of Ruby are still being actively used? What versions of RubyGems is it safe to stop supporting? Which operating systems should we focus on testing? It’s been almost 10 years since that first release, but today the RubyGems and Bundler team is excited to announce t
Today we’re disclosing several vulnerablities to RubyGems. They have all been reported via hackerone. We strongly recommend to upgrade the latest stable version of RubyGems 3.0.3 or 2.7.8. If you can’t upgrade RubyGems 2.7 or 3.0, please use this patch for RubyGems 2.6. CVE-2019-8320: Delete directory using symlink when decompressing tar Description A Directory Traversal issue was discovered in Ru
Hello everyone! An unsafe object deserialization vulnerability was found in RubyGems. Unfortunately this vulnerability can be used as a way to escalate to a remote code execution exploit. The good news is that this issue was responsibly reported to the RubyGems team by Max Justicz, and we were able to promptly fix it. The RubyGems team audited all Gems, and using the data available to us we can sa
RubyGems 2.6.13 includes security fixes. To update to the latest RubyGems you can run: gem update --system If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page. Security fixes: Fix a DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins. (CVE-2017-0902)
Since the early days of Ruby, Ruby Central, Inc. has served as an organizational anchor for our community. Starting in 2001, with the organization of the first International Ruby Conference, we have been responsible for running RubyConf and subsequently RailsConf. Thanks to you all, our conferences have enjoyed broad, sustainable success, endowing us with a solid financial foundation, which we the
Summary RubyGems.org contained a bug that could allow an attacker to replace some .gem files on our servers with a different file that they supplied. We deployed a partial fix on April 2nd and a complete fix on April 4th, 2016. We also verified every .gem uploaded after Feb 8th, 2015, and found that none of them had been replaced. Gems whose name contains a dash (e.g. ‘blank-blank’) uploaded befor
RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain. For example, this is the one that users who use rubygems.org see: > dig _rubygems._tcp.rubygems.org SRV ;; ANSWER SECTION: _rubygems._tcp.rubygems.org.
RubyGems 2.2.0 includes major enhancements, minor enhancements and bug fixes. To update to the latest RubyGems you can run: gem update --system If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page. Special thanks to Vít Ondruch and Michal Papis for testing and finding bugs in RubyGems as it
RubyGems 2.1.0 includes several new features and a security update to fix CVE-2013-4287 To update to the latest RubyGems you can run: gem update --system If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page. Security fixes: RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due
TL;DR: We were able to verify that all gems served by rubygems.org are tamper-free. The Incident As most people are aware, on January 30th rubygems.org was hit with a rogue code execution vulnerability. Much has been written (and will be written) about why the bug existed and how we’re going to be dealing with making sure it never happens again. Data Verification Right now, I want to let everyone
このページを最初にブックマークしてみませんか?
『RubyGems Blog - RubyGems Blog』の新着エントリーを見る
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く