Given the following from ruby-lang:

It is strongly recommended for Ruby users to take one of the following workarounds as soon as possible.

Workarounds

RubyGems 2.7.9/3.0.3 or later includes the fix for the vulnerabilities, so upgrade RubyGems to the latest version.

If you can’t upgrade RubyGems, you can apply the following patches as a workaround.

I think we should go ahead with also bumping to 3.0.3 for Ruby 2.6 and we can re-add it back to the newEnoughRubygems list for 2.6.2.

😭 seems reasonable for now:

$ for img in $(bashbrew list --uniq ruby); do echo "$img -- $(docker run --rm "$img" gem --version)"; done
ruby:2.6.1-stretch -- 3.0.1
ruby:2.6.1-slim-stretch -- 3.0.1
ruby:2.6.1-alpine3.9 -- 3.0.1
ruby:2.6.1-alpine3.8 -- 3.0.1
ruby:2.5.3-stretch -- 3.0.1
ruby:2.5.3-slim-stretch -- 3.0.1
ruby:2.5.3-alpine3.9 -- 3.0.1
ruby:2.5.3-alpine3.8 -- 3.0.1
ruby:2.4.5-stretch -- 3.0.1
ruby:2.4.5-slim-stretch -- 3.0.1
ruby:2.4.5-jessie -- 3.0.1
ruby:2.4.5-slim-jessie -- 3.0.1
ruby:2.4.5-alpine3.9 -- 3.0.1
ruby:2.4.5-alpine3.8 -- 3.0.1
ruby:2.3.8-stretch -- 3.0.1
ruby:2.3.8-slim-stretch -- 3.0.1
ruby:2.3.8-jessie -- 3.0.1
ruby:2.3.8-slim-jessie -- 3.0.1
ruby:2.3.8-alpine3.8 -- 3.0.1
ruby:2.3.8-alpine3.7 -- 3.0.1

(hopefully 2.6 gets updated soon: https://bugs.ruby-lang.org/issues/15637#note-8)

@yosifkit and @tianon Thanks for doing this.

CC @indirect and @deivid-rodriguez, do you have any insight as to whether or not Ruby will be making a new release for this set of RubyGems CVEs?

I think yes, but I'm not 100% sure. I think Hiroshi most likely knows. @hsbt?

There is no plan to release the new versions of Ruby with the latest RubyGems immediately. We will release the next stable versions in 2Q of 2019.

Ok, fair enough, thanks @hsbt!