Gleb Mazovetskiy

@evanphx Can we find out whose account it was pushed from?

There is currently only 2 people who have push rights to this gem: @thomas-mcdonald and me. I've changed my password just now. Still need to go through all my gems,...

I've changed my password on rubygems.org and removed Thomas from owners for now as a precaution, @evanphx also got in touch with me via email.

> Will you restore a safe version of 3.2.0.2? Yes, but not for a few days (maybe longer) as I'm busy. Upgrading to v3.4.1 is recommended, and should be easy...

Huh, it should not be possible to download yanked gems.

@evanphx How is this possible?

Ah, there is an answer in https://github.com/rubygems/rubygems.org/issues/1941

I think a CVE should be created even if the yanking did work!

I'll release 3.2.0.4 (identical to 3.2.0.2) later today.

v3.2.0.4 released