[Bug 1467716] [NEW] "gem install" fetches packages from unencrypted HTTP URL
Simon Déziel
1467716 at bugs.launchpad.net
Tue Jun 23 01:21:47 UTC 2015
*** This bug is a security vulnerability ***
Public security bug reported:
Running "gem install $FOO" fetches $FOO using unencrypted HTTP which is
insecure.
Steps to reproduce:
1. apt-get install ruby
2. echo 'source "https://rubygems.org"' > Gemfile
3. gem install bundler
One would expect this to use HTTPS to download but it's not the case.
Additional information:
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# apt-cache policy ruby
ruby:
Installed: 1:1.9.3.4
Candidate: 1:1.9.3.4
Version table:
*** 1:1.9.3.4 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
** Affects: ruby1.9.1 (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ruby1.9.1 in Ubuntu.
https://bugs.launchpad.net/bugs/1467716
Title:
"gem install" fetches packages from unencrypted HTTP URL
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby1.9.1/+bug/1467716/+subscriptions
More information about the Ubuntu-server-bugs
mailing list