Security update for rubygem-bundler

SUSE Security Update: Security update for rubygem-bundler
Announcement ID: SUSE-SU-2015:0795-1
Rating: moderate
References: #898205
Affected Products:
  • WebYaST 1.3
  • SUSE Studio Onsite 1.3
  • SUSE Linux Enterprise Software Development Kit 11 SP3
  • SUSE Linux Enterprise High Availability Extension 11 SP3
  • SUSE Lifecycle Management Server 1.3
  • SUSE Cloud 4

  • An update that fixes one vulnerability is now available. It includes one version update.

    Description:

    The rubygem bundler has been updated to 1.7.0 to fix an issue where it downloaded ruby gems from a different servers than the intended one. (CVE-2013-0334)

    Bundler 1.7 is a security-only release to address CVE-2013-0334, a vulnerability where a gem might have been installed from an unintended source server, particularly while using both rubygems.org and gems.github.com.

    Upstream changes entry with more explanations:

    Any Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name.

    This is especially possible in the case of Github's legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used Github gem. From that point forward, running bundle install might result in the malicious gem being used instead of the expected gem.

    To mitigate this, the Bundler and Rubygems.org teams worked together to copy almost every gem hosted on gems.github.com to rubygems.org, reducing the number of gems that can be used for such an attack.

    Resolution

    To resolve this issue, upgrade to Bundler 1.7 by running gem install bundler. The next time you run bundle install for any Gemfile that contains multiple sources, each gem available from multiple sources will print a warning.

    For every warning printed, edit the Gemfile to either specify a :source option for that gem, or move the gem line into a block that is passed to a source method call.

    For detailed information about the changes to how sources are handled in Bundler version 1.7, see the release announcement.

    Security Issues:

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • WebYaST 1.3:
      zypper in -t patch slewyst13-rubygem-bundler=10449
    • SUSE Studio Onsite 1.3:
      zypper in -t patch slestso13-rubygem-bundler19=10451 slestso13-rubygem-bundler=10449
    • SUSE Linux Enterprise Software Development Kit 11 SP3:
      zypper in -t patch sdksp3-rubygem-bundler=10450
    • SUSE Linux Enterprise High Availability Extension 11 SP3:
      zypper in -t patch slehasp3-rubygem-bundler=10450
    • SUSE Lifecycle Management Server 1.3:
      zypper in -t patch sleslms13-rubygem-bundler=10449
    • SUSE Cloud 4:
      zypper in -t patch sleclo40sp3-rubygem-bundler=10448

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • WebYaST 1.3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.7.0]:
      • rubygem-bundler-1.7.0-0.7.1
    • SUSE Studio Onsite 1.3 (x86_64) [New Version: 1.7.0]:
      • rubygem-bundler-1.7.0-0.7.1
      • rubygem-bundler19-1.7.0-0.12.1
    • SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.7.0]:
      • rubygem-bundler-1.7.0-0.7.1
    • SUSE Linux Enterprise High Availability Extension 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.7.0]:
      • rubygem-bundler-1.7.0-0.7.1
    • SUSE Lifecycle Management Server 1.3 (x86_64) [New Version: 1.7.0]:
      • rubygem-bundler-1.7.0-0.7.1
    • SUSE Cloud 4 (x86_64) [New Version: 1.7.0]:
      • rubygem-bundler-1.7.0-0.7.1

    References: