1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RubyGems DNS flaw now patched after second try

Discussion in 'Network World' started by RSS, Jun 23, 2015.

  1. RSS

    RSS New Member Member

    A revised patch has been released for a flaw in the distribution platform for Ruby applications, RubyGems, which could be used to deliver malware to someone trying to download a program.

    RubyGems lets people search for a “gem,” which is a packaging format for Ruby applications and code libraries. Ruby developers publish a gem when an application is ready.

    Security researchers from Trustwave found a problem with the platform. When people search for a gem, RubyGems uses a DNS (Domain Name System) SRV record request to find a server hosting a particular gem.

    The request, however, “does not require that DNS replies come from the same security domain as the original gem source,” according to a writeup, which Trustwave plans to release on its blog on Tuesday.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page