Posted by NARUSE, Yui on 20 Apr 2012

Ruby 1.9.3-p194 is released.

This release include Security Fix for RubyGems: SSL server verification failure for remote repository. And many bugs are fixed in this release.

Security Fix for RubyGems: SSL server verification failure for remote repository

This release includes two security fixes in RubyGems.

Turn on verification of server SSL certs

Disallow redirects from https to http

Users who uses https source in .gemrc or /etc/gemrc are encouraged to upgrade to 1.9.3-p194.

Following is excerpted from RubyGems 1.8.23 release note [1].

"This release increases the security used when RubyGems is talking to an https server. If you use a custom RubyGems server over SSL, this release will cause RubyGems to no longer connect unless your SSL cert is globally valid.

You can configure SSL certificate usage in RubyGems through the :ssl_ca_cert and :ssl_verify_mode options in ~/.gemrc and /etc/gemrc. The recommended way is to set :ssl_ca_cert to the CA certificate for your server or a certificate bundle containing your CA certification.

You may also set :ssl_verify_mode to 0 to completely disable SSL certificate checks, but this is not recommended."

Credit to John Firebaugh for reporting this issue.

[1] <URL:https://github.com/rubygems/rubygems/blob/1.8/History.txt>

Fixes

Security Fix for RubyGems: SSL server verification failure for remote repository

other bug fixes

See tickets and ChangeLog for details.

Downloads