[Bug 1467716] [NEW] "gem install" fetches packages from unencrypted HTTP URL

Simon Déziel 1467716 at bugs.launchpad.net
Tue Jun 23 01:21:47 UTC 2015


*** This bug is a security vulnerability ***

Public security bug reported:

Running "gem install $FOO" fetches $FOO using unencrypted HTTP which is
insecure.

Steps to reproduce:

1. apt-get install ruby
2. echo 'source "https://rubygems.org"' > Gemfile
3. gem install bundler

One would expect this to use HTTPS to download but it's not the case.


Additional information:

# lsb_release -rd
Description:	Ubuntu 14.04.2 LTS
Release:	14.04

# apt-cache policy ruby
ruby:
  Installed: 1:1.9.3.4
  Candidate: 1:1.9.3.4
  Version table:
 *** 1:1.9.3.4 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

** Affects: ruby1.9.1 (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ruby1.9.1 in Ubuntu.
https://bugs.launchpad.net/bugs/1467716

Title:
  "gem install" fetches packages from unencrypted HTTP URL

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby1.9.1/+bug/1467716/+subscriptions



More information about the Ubuntu-server-bugs mailing list