Another day, another reminder to be careful about installing software downloaded from the Internet: This time, the warning is for the Ruby community.
The team behind RubyGems.org closed two security flaws on its website that could be exploited by an attacker to replace any .gem file on the server with a different file having the same name, according to an advisory posted on the Ruby gem hosting service’s website.
Gems with a dash in the name (blank-blank) pushed to RubyGems.org after June 11, 2014, when the flaw was introduced, were vulnerable to tampering. The team verified every .gem file uploaded to the server after Feb 8, 2015, and didn’t find any cases of tampering, but recommended authors verify their gems as well.
To read this article in full or to leave a comment, please click here