Rubygems 1.8.10 Released

dubstep · August 27, 2011, 3:15am

rubygems-update version 1.8.10 has been released!

http://github.com/rubygems/rubygems/issues

RubyGems is a package management framework for Ruby.

This gem is an update for the RubyGems software. You must have an
installation of RubyGems before this update can be applied.

See Gem for information on RubyGems (or ri Gem)

To upgrade to the latest RubyGems, run:

$ gem update --system # you might need to be an administrator or root

See UPGRADING.rdoc for more details and alternative instructions.

If you don’t have RubyGems installed, you can still do it manually:

Download from: Download RubyGems | RubyGems.org | your community gem host
Unpack into a directory and cd there
Install with: ruby setup.rb # you may need admin/root privilege

For more details and other options, see:

ruby setup.rb --help

Changes:

1.8.10 / 2011-08-26

RubyGems 1.8.10 contains a security fix that prevents malicious gems
from
executing code when their specification is loaded. See
Fixed a code-injection in Gem::Specification#ruby_code. by postmodern · Pull Request #165 · rubygems/rubygems · GitHub for details.

5 bug fixes:
- RubyGems escapes strings in ruby-format specs using #dump instead of
  #to_s
  and %q to prevent code injection. Issue #165 by Postmodern
- RubyGems attempt to activate the psych gem now to obtain bugfixes
  from
  psych.
- Gem.dir has been restored to the front of Gem.path. Fixes remaining
  problem with Issue #115
- Fixed Syck DefaultKey infecting ruby-format specifications.
- gem uninstall a b no longer stops if gem “a” is not installed.

aguynamedryan · August 27, 2011, 4:06am

I have a question. I have rvm installed, and I updated rubygems like
this:

$ gem update --system
Updating rubygems-update
Fetching: rubygems-update-1.8.10.gem (100%)
Successfully installed rubygems-update-1.8.10
Installing RubyGems 1.8.10
RubyGems 1.8.10 installed

== 1.8.10 / 2011-08-25

RubyGems 1.8.10 contains a security fix that prevents malicious gems
from
executing code when their specification is loaded. See
Fixed a code-injection in Gem::Specification#ruby_code. by postmodern · Pull Request #165 · rubygems/rubygems · GitHub for details.

5 bug fixes:
- RubyGems escapes strings in ruby-format specs using #dump instead of
  #to_s
  and %q to prevent code injection. Issue #165 by Postmodern
- RubyGems attempt to activate the psych gem now to obtain bugfixes
  from
  psych.
- Gem.dir has been restored to the front of Gem.path. Fixes remaining
  problem with Issue #115
- Fixed Syck DefaultKey infecting ruby-format specifications.
- gem uninstall a b no longer stops if gem “a” is not installed.

RubyGems installed the following executables:
/Users/me/.rvm/rubies/ruby-1.9.2-p180/bin/gem

RubyGems system software updated
$

That looks like it only updated my ruby 1.9.2 rubygems. Is that
correct?

aguynamedryan · August 27, 2011, 3:57pm

7stud – wrote in post #1018757:

I have a question. I have rvm installed, and I updated rubygems like
this:

$ gem update --system

That looks like it only updated my ruby 1.9.2 rubygems. Is that
correct?

That is correct

rvm rubygems x.y.z will also update the installed RubyGems for the
active version of Ruby, not all of them.