*** This bug is a security vulnerability *** Public security bug reported:
Running "gem install $FOO" fetches $FOO using unencrypted HTTP which is insecure. Steps to reproduce: 1. apt-get install ruby 2. echo 'source "https://rubygems.org";' > Gemfile 3. gem install bundler One would expect this to use HTTPS to download but it's not the case. Additional information: # lsb_release -rd Description: Ubuntu 14.04.2 LTS Release: 14.04 # apt-cache policy ruby ruby: Installed: 1:1.9.3.4 Candidate: 1:1.9.3.4 Version table: *** 1:1.9.3.4 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 100 /var/lib/dpkg/status ** Affects: ruby1.9.1 (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ruby1.9.1 in Ubuntu. https://bugs.launchpad.net/bugs/1467716 Title: "gem install" fetches packages from unencrypted HTTP URL To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ruby1.9.1/+bug/1467716/+subscriptions -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
