From ComputerWorld: A revised patch has been released for a flaw in the distribution platform for Ruby applications, RubyGems, which could be used to deliver malware to someone trying to download a program.
RubyGems lets people search for a "gem," which is a packaging format for Ruby applications and code libraries. Ruby developers publish a gem when an application is ready.
Security researchers from Trustwave found a problem with the platform. When people search for a gem, RubyGems uses a DNS (Domain Name System) SRV record request to find a server hosting a particular gem.
The request, however, "does not require that DNS replies come from the same security domain as the original gem source," according to a writeup, which Trustwave plans to release on its blog on Tuesday.
An attacker using the flaw could redirect a RubyGems client to download a gem from a different server and instead supply a malicious program, Trustwave wrote. It then bypasses any SSL/TLS check.
View: Article @ Source Site
