The new RubyGems 2.7.6 release addresses several vulnerabilities in Ruby Gems and implements several security improvements.
The updates prevent path traversal when writing to a symlinked basedir outside of the root and during gem installation.
The updates also address a cross-site scripting (XSS) vulnerability in the homepage attribute when displayed via gem server and an Unsafe Object Deserialization issue in gem owner.
The new RubyGems release raises a security error when there are duplicate files in a package and enforce URL validation on spec homepage attribute.
To update to the latest RubyGems you can run:
gem update --system
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(Security Affairs – RubyGems, security)