RubyGems vulnerability March 2019

PhilCoggins · March 8, 2019, 6:04pm

Ruby announced some CVEs recently for certain RubyGems versions. It doesn’t appear that the docker containers have been updated yet:

$ docker pull circleci/ruby:2.6.1

2.6.1: Pulling from circleci/ruby

Digest: sha256:6e7c310c2aafcb504adde04ce9202d52da8da0bfdb40cceed3204094851d4ab1

Status: Image is up to date for circleci/ruby:2.6.1

~/Workbench $ docker run -it --rm circleci/ruby:2.6.1 gem -v

3.0.1

Would expect 3.0.3 to be the output above, in order to fix you would need to run gem update --system.

This also applies to Ruby 2.4 and 2.5.

Let me know if I can be of assistance in anyway.

https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html

FelicianoTech · March 8, 2019, 6:26pm

Hi Phil,

Thanks for bringing this up. Our images are based on official Docker images which haven’t been updated yet. Once they update, we’ll get it within 24 hours.

Specifically, there’s two relevant PRs of which only the first has been merged:

I’ll comment on the second PR to see if we can help hasten its merge.

Update:

I opened a CircleCI GitHub Issue to track here: https://github.com/circleci/circleci-images/issues/343

FelicianoTech · March 11, 2019, 5:55pm

The images have been updated.

system · March 21, 2019, 5:55pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Docker image for ruby 2.5.4 and 2.6.2 Build Environment	7	3662	March 25, 2019
Ruby v2.4.2 and Ruby v2.3.5 CircleCI 2.0 Images Build Environment	1	1033	June 18, 2018
Want to install docker image circleci/ruby:2.3 CircleCI Images	1	946	April 23, 2019
Ruby 2.5.3 Build Environment build-image , ruby , docker	3	2240	November 1, 2018
Please do not update major versions of Ruby dependencies by default in tagged Docker images Build Environment docker , rubygems	4	1333	February 18, 2019

RubyGems vulnerability March 2019

Related topics