

Ruby 1.9.3-p194 is released with RubyGems security fixes - jfirebaugh
http://www.ruby-lang.org/en/news/2012/04/20/ruby-1-9-3-p194-is-released/

======
jfirebaugh
RubyGems 1.8.23 is also out with the same fix.

Two security issues were fixed:

* RubyGems did not validate SSL certificates (the dreaded OpenSSL::SSL::VERIFY_NONE problem).

* RubyGems allowed HTTPS-to-HTTP redirects. And in fact rubygems.org did redirect gem downloads from HTTPS to HTTP (also fixed).

Either of these mean that an attacker could MITM your `gem install` or `bundle
install` and give you malicious gem contents. You'd be owned when you required
the gem -- possibly sooner, in fact, because gem install itself provides
mechanisms for arbitrary code execution.

It's also important to note that RubyGems does not default to HTTPS. I highly
recommend using `source "<https://rubygems.org`> in your Gemfile and the
following in your ~/.gemrc:

    
    
        :sources:
          - https://rubygems.org

