Multiple CVEs addressed by Rubygems 3.0.3

[lsimoneau]

There have been a number of CVEs for vulnerabilities in Rubygems announced today https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/.

I've read the conversation in #255, and it seems the general consensus here was to rely on Ruby core patches pulling in security fixes for Rubygems.

With this latest batch of CVEs, the announcement is not clear about if there is an intention to patch this with new Ruby releases, as the advice is to update Rubygems.

How do you plan to proceed with this here? I'm trying to gauge whether it's worth manually patching all of our systems or whether I should be waiting for either: an upstream patch to Ruby making its way to the base images or b) an updated Rubygems in the base images. Is someone able to confirm with someone on the Ruby team whether they plan on releasing patches with updated Rubygems? If not, would you expect to be bumping the Rubygems version in the Docker base images?

[nightpool]

The CVE announcement provides patches for the ruby versions, but no information about releasing those patches. Furthermore, there is no patch provided for 2.3, so at least that Dockerfile probably should be updated.

EDIT: if 2.3 is even affected? Reading the announcement more closely, it might not be.

[reidab]

@nightpool The original release of 2.3 wasn't affected because it bundled an earlier rubygems version, but all the pre-2.6 images built from this repo install rubygems 3.0.1 explicitly.

[mltsy]

From what I have just read (at links above, and other linked issues), it sounds like:
A) The decision on #255 was to rely on ruby core to bundle a suitable rubygems version, rather than continually updating version numbers in this repository (including in the case of security patches, such as this case),
B) So far, Ruby doesn't appear to have released any new versions or mentioned any releases planned to address this rubygems vulnerability, and
C) This may be the first major security-patch case that has come up since the decision in #255 was made (?), so this will be a good test of the decisions made there!

Theoretically, as @indirect stated in #255 (comment), "Anytime there is a CVE in RubyGems, the Ruby team issues a new bugfix release for Ruby with the patch for that issue" - so far, no release, but perhaps we will see one today or tomorrow? If not, I think it's important to post some advice on how to proceed here, such as either:

1. "We will update the pinned version to 3.0.3, since ruby has not made a release to address the security vulnerability", or
2. "We recommend updating your own Dockerfile to update rubygems to the desired version in your image as follows: ..."

[dentarg]

I found https://bugs.ruby-lang.org/issues/15637 but it is closed 🤔

[yosifkit]

We definitely don't want to leave it at a vulnerable RubyGems version. So minimally we should bump the freeze we defined in update.sh:

ruby/update.sh

Line 21 in ccb4921

rubygems='3.0.1'

Let me see if I can get a PR done in the next little bit.

[yosifkit]

PR created: #271.