Joined: 12 May 2004
|Posted: Mon Sep 26, 2016 4:26 am Post subject: [ GLSA 201609-02 ] Bundler
|Gentoo Linux Security Advisory
Title: Bundler: Insecure installation (GLSA 201609-02)
Date: September 26, 2016
A vulnerability has been found in Bundler, allowing injection of
arbitrary code via the gem installation process.
Bundler provides a consistent environment for Ruby projects by tracking
and installing the exact gems and versions that are needed.
Vulnerable: < 1.7.3
Unaffected: >= 1.7.3
Architectures: All supported architectures
Bundler, allows the installation of gems from different sources with the
same names, when multiple top-level gem sources are used.
Remote attackers could inject arbitrary code via the gem install
There is no known workaround at this time.
All Bundler users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/bundler-1.7.3"