Ruby 1.9.3-p194 is released with RubyGems security fixes
ruby-lang.orgRubyGems 1.8.23 is also out with the same fix.
Two security issues were fixed:
* RubyGems did not validate SSL certificates (the dreaded OpenSSL::SSL::VERIFY_NONE problem).
* RubyGems allowed HTTPS-to-HTTP redirects. And in fact rubygems.org did redirect gem downloads from HTTPS to HTTP (also fixed).
Either of these mean that an attacker could MITM your `gem install` or `bundle install` and give you malicious gem contents. You'd be owned when you required the gem -- possibly sooner, in fact, because gem install itself provides mechanisms for arbitrary code execution.
It's also important to note that RubyGems does not default to HTTPS. I highly recommend using `source "https://rubygems.org` in your Gemfile and the following in your ~/.gemrc:
:sources:
- https://rubygems.org