Ruby 2.4.5, 2.5.3, and 2.6.1 patched to protect against several CVEs in RubyGems

Change effective on 05 March 2019

The following CVEs have been released that affect RubyGems:

  • CVE-2019-8320
  • CVE-2019-8321
  • CVE-2019-8322
  • CVE-2019-8323
  • CVE-2019-8324
  • CVE-2019-8325

For more information about the vulnerabilities please see RubyGems March 2019 security advisories.

To protect your application from these vulnerabilities ensure that your application is using the latest patch version of Ruby, either 2.4.5, 2.5.3, or 2.6.1. Then trigger a deploy. You can do this by adding an empty commit:

$ git commit --allow-empty -m "Bump RubyGems on Heroku"
$ git push heroku master

To see if your app is patched you can run heroku run bash and then gem -v. You should see the following versions based on which Ruby version you are using:

  • Ruby 2.4.5: Rubygems:
  • Ruby 2.5.3: Rubygems:
  • Ruby 2.6.1: Rubygems: 3.0.3

If you are using an older version of Ruby that is not listed on this page, then your gem version has not been patched. You need to manually upgrade to one of these three currently supported Ruby versions.