RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. Upstream patches: https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32 Bug report: https://hackerone.com/reports/218088 External References: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
Created ruby193-rubygems tracking bugs for this issue: Affects: openshift-1 [bug 1487592] Created rubygems tracking bugs for this issue: Affects: fedora-all [bug 1487591] Affects: openshift-1 [bug 1487593]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2017:3485 https://access.redhat.com/errata/RHSA-2017:3485
Statement: This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 6, and 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0378
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0583
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2018:0585