[Rubygems-developers] Need to release 0.9.1 due to security exploit

Eric Hodel drbrain at segment7.net
Fri Jan 12 14:17:06 EST 2007

On Jan 12, 2007, at 10:59, Eric Hodel wrote:

> I've checked in fixes for an installation exploit found by Gavin  
> Sinclair.  Here's a draft email describing the exploit and how to  
> fix RubyGems.  I only supplied patches for the past two versions of  
> RubyGems, since tattle says that's what everybody uses.
> b) Apply the following patch
> For RubyGems 0.9.0:
> <installer.rb.extract_files.REL_0_9_0.patch>
> For RubyGems 0.8.11:
> <installer.rb.extract_files.REL_0_8_11.patch>

Note: I didn't test either of these patches.  the 0.9.0 patch applied  
cleanly with offset.  The 0.8.11 I had to do by hand.

If anybody still has a 0.8.11, please test this patch.

Eric Hodel - drbrain at segment7.net - http://blog.segment7.net


More information about the Rubygems-developers mailing list