RubyGems 1.8.23 is also out with the same fix.<p>Two security issues were fixed:<p>* RubyGems did not validate SSL certificates (the dreaded OpenSSL::SSL::VERIFY_NONE problem).<p>* RubyGems allowed HTTPS-to-HTTP redirects. And in fact rubygems.org did redirect gem downloads from HTTPS to HTTP (also fixed).<p>Either of these mean that an attacker could MITM your `gem install` or `bundle install` and give you malicious gem contents. You'd be owned when you required the gem -- possibly sooner, in fact, because gem install itself provides mechanisms for arbitrary code execution.<p>It's also important to note that RubyGems does not default to HTTPS. I highly recommend using `source "<a href="https://rubygems.org`" rel="nofollow">https://rubygems.org`</a> in your Gemfile and the following in your ~/.gemrc:<p><pre><code> :sources:
- https://rubygems.org</code></pre>