RubyGems vulnerability March 2019

Ruby announced some CVEs recently for certain RubyGems versions. It doesn’t appear that the docker containers have been updated yet:

$ docker pull circleci/ruby:2.6.1

2.6.1: Pulling from circleci/ruby

Digest: sha256:6e7c310c2aafcb504adde04ce9202d52da8da0bfdb40cceed3204094851d4ab1

Status: Image is up to date for circleci/ruby:2.6.1

~/Workbench $ docker run -it --rm circleci/ruby:2.6.1 gem -v

3.0.1

Would expect 3.0.3 to be the output above, in order to fix you would need to run gem update --system.

This also applies to Ruby 2.4 and 2.5.

Let me know if I can be of assistance in anyway.

https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html

1 Like

Hi Phil,

Thanks for bringing this up. Our images are based on official Docker images which haven’t been updated yet. Once they update, we’ll get it within 24 hours.

Specifically, there’s two relevant PRs of which only the first has been merged:

I’ll comment on the second PR to see if we can help hasten its merge.

Update:

I opened a CircleCI GitHub Issue to track here: https://github.com/circleci/circleci-images/issues/343

2 Likes

The images have been updated.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.