Ruby 1.9.2-p320 is released

Ruby 1.9.2-p320 is released.

This release include Security Fix for RubyGems: SSL server verification failure for remote repository. And many bugs are fixed in this release.

Security Fix for RubyGems: SSL server verification failure for remote repository

This release includes two security fixes in RubyGems.

  • Turn on verification of server SSL certs
  • Disallow redirects from https to http

Users who uses https source in .gemrc or /etc/gemrc are encouraged to upgrade to 1.9.2-p320 or 1.9.3-p194.

Following is excerpted from RubyGems 1.8.23 release note [1].

"This release increases the security used when RubyGems is talking to an https server. If you use a custom RubyGems server over SSL, this release will cause RubyGems to no longer connect unless your SSL cert is globally valid.

You can configure SSL certificate usage in RubyGems through the :ssl_ca_cert and :ssl_verify_mode options in ~/.gemrc and /etc/gemrc. The recommended way is to set :ssl_ca_cert to the CA certificate for your server or a certificate bundle containing your CA certification.

You may also set :ssl_verify_mode to 0 to completely disable SSL certificate checks, but this is not recommended."

Credit to John Firebaugh for reporting this issue.

[1] <URL:https://github.com/rubygems/rubygems/blob/1.8/History.txt>

Fixes

  • Security Fix for RubyGems: SSL server verification failure for remote repository
  • other bug fixes

See tickets and ChangeLog for details.

Downloads