Rubygems site recovers from compromise
The volunteers that run the Rubygems.org repository of components for Ruby applications are checking those components to ensure they haven't been tampered with after the platform was compromised. Attackers uploaded a gem to the site which had a metadata file that used the Rails YAML flaws to copy initialisation and configuration information to the Pastie clippings site.
The attack was a variation of the various flaws and issues found in Rails earlier this month, with the difference being that the vector used to get to the unsafe Psych YAML parser was via the Rubygems metadata processing rather than through HTTP requests. It is believed the attackers were looking for API keys, which were not in those files. Upon discovery of the compromise, after it was reported on Hacker News, the entire site was placed into "maintenance mode", the "exploit gem" and account used to upload it were deleted, and Rubygems.org's Amazon S3 keys were reset.
The developers then set about checking all gems stored on Rubygems.org against mirrors held on Amazon S3 or more recent mirrors from sites like Heroku. At time of writing, the status page for Rubygems.org reports that the core API, dependency API and load balancers are now back online and that 90% of the gems have been checked and have matched two or more mirrors; Rubygems.org is still in read-only mode though. The status page was so overloaded that the developers also created a Google Doc with status information in it. The Twitter account @rubygems_status is also providing updates.
(djwm)