Bump RubyGems version for CVE fixes

[yosifkit]

There have been a number of CVEs for vulnerabilities in Rubygems announced today https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/.

From the discussion on #255, I have only updated RubyGems on versions of Ruby that we install an explicit version of RubyGems newer than is bundled with the Ruby release. What this means is that 2.6 still has RubyGems 3.0.1 because I am assuming that a bugfix release is incoming (given the following comment):

In that case, you should be fine sticking with just the latest Ruby patch release. Anytime there is a CVE in RubyGems, the Ruby team issues a new bugfix release for Ruby with the patch for that issue. :+1:
- #255 (comment)

☝️If this is not the case, please let us know so we can also bump the gems version for the 2.6 images.

CC @indirect and @deivid-rodriguez, do you have any insight as to whether or not Ruby will be making a new release for this set of RubyGems CVEs?

Related: https://bugs.ruby-lang.org/issues/15637 (it looks like that are patches being backported for updating Ruby 2.6 to RubyGems 3.0.3)

Fixes #270

[yosifkit]

Given the following from ruby-lang:

It is strongly recommended for Ruby users to take one of the following workarounds as soon as possible.

Workarounds

RubyGems 2.7.9/3.0.3 or later includes the fix for the vulnerabilities, so upgrade RubyGems to the latest version.

If you can’t upgrade RubyGems, you can apply the following patches as a workaround.

I think we should go ahead with also bumping to 3.0.3 for Ruby 2.6 and we can re-add it back to the newEnoughRubygems list for 2.6.2.

[tianon]

😭 seems reasonable for now:

$ for img in $(bashbrew list --uniq ruby); do echo "$img -- $(docker run --rm "$img" gem --version)"; done
ruby:2.6.1-stretch -- 3.0.1
ruby:2.6.1-slim-stretch -- 3.0.1
ruby:2.6.1-alpine3.9 -- 3.0.1
ruby:2.6.1-alpine3.8 -- 3.0.1
ruby:2.5.3-stretch -- 3.0.1
ruby:2.5.3-slim-stretch -- 3.0.1
ruby:2.5.3-alpine3.9 -- 3.0.1
ruby:2.5.3-alpine3.8 -- 3.0.1
ruby:2.4.5-stretch -- 3.0.1
ruby:2.4.5-slim-stretch -- 3.0.1
ruby:2.4.5-jessie -- 3.0.1
ruby:2.4.5-slim-jessie -- 3.0.1
ruby:2.4.5-alpine3.9 -- 3.0.1
ruby:2.4.5-alpine3.8 -- 3.0.1
ruby:2.3.8-stretch -- 3.0.1
ruby:2.3.8-slim-stretch -- 3.0.1
ruby:2.3.8-jessie -- 3.0.1
ruby:2.3.8-slim-jessie -- 3.0.1
ruby:2.3.8-alpine3.8 -- 3.0.1
ruby:2.3.8-alpine3.7 -- 3.0.1

[tianon]

(hopefully 2.6 gets updated soon: https://bugs.ruby-lang.org/issues/15637#note-8)

[deivid-rodriguez]

@yosifkit and @tianon Thanks for doing this.

CC @indirect and @deivid-rodriguez, do you have any insight as to whether or not Ruby will be making a new release for this set of RubyGems CVEs?

I think yes, but I'm not 100% sure. I think Hiroshi most likely knows. @hsbt?

[hsbt]

There is no plan to release the new versions of Ruby with the latest RubyGems immediately. We will release the next stable versions in 2Q of 2019.

[tianon]

Ok, fair enough, thanks @hsbt!