Gemcutter Security Alert - gem update gemcutter published 08 Dec 2009 by Nick Quaranto
Early last month, thanks to a hat-tip from Tim Carey-Smith, a vulnerability was found in Gemcutter’s ownership system that allowed access to other users’ API keys. David Dollar was quick to fix the issue, but due to miscommunication on my part, the Gemcutter API keys were never reset in response to the security hole.
I’ve now reset all Gemcutter API keys for all users. In order to push your gems once again, you’ll need to simply update the Gemcutter gem:
gem update gemcutter
When you need to gem push again, you’ll be prompted to sign in and your new API key will be fetched. That’s all you should need to do in order to be back up to speed with releasing gems. No known compromises of gems has happened to our knowledge during the time since the vulnerability was closed. Downloading gems has not been affected by this issue.
Going forward, I’ve set up a new address for reporting security issues with the site at security@gemcutter.org. Please report any code vulnerabilities you find there for now on. A security policy akin to Rails’ regarding vulnerability issues will be set up soon and announced on the mailing list once completed. Sorry for the inconvenience here folks, and thanks for using Gemcutter.
