* Upgrade Ruby version 2.4.9 to 2.4.10, 2.5.7 to 2.5.8, 2.6.5 to 2.6.6, 2.7.0 to 2.7.1
* correct SHA256 hash values for the .tar.xz files
* updating Ruby version/hashes in a few missed files
Stop setting `BUNDLE_PATH`.
All default bundler versions shipped with all supported rubies install
gems to `GEM_HOME` by default, so this shouldn't be a breaking change
and it's a less surprising behavior because it does not deviate from how
bundler is configured by default.
Future versions will probably install locally by default, but that
hasn't happened yet.
I think leaving bundler "unconfigured" also matches the direction of the
recent change where the images no longer explicitly install `bundler` but
simply leave whatever version comes with ruby. Similarly, it makes sense
to me to leave whatever configuration comes by default with `bundler` in
place.
Newer bundler versions install gems to `$GEM_HOME/ruby/<ruby_version>`,
instead of directly to `$GEM_HOME`.
So we need to add the proper paths to `GEM_PATH` and `PATH` so that gems
and their executables are properly found.
Mitigates the following vulnerabilities:
- CVE-2019-16255: A code injection vulnerability of Shell#[] and
Shell#test
- CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
- CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
- CVE-2019-16201: Regular Expression Denial of Service vulnerability
of WEBrick’s Digest access authentication
This also adjusts Bundler to be explicitly fixed at either 1.17.2 or the Ruby/Rubygems-bundled version, whichever is newer -- this is slightly older than what we've already pushed (1.17.3), but nothing in the changelog appears to be relevant, so this seems fine: https://github.com/bundler/bundler/compare/v1.17.2...v1.17.3#diff-4ac32a78649ca5bdd8e0ba38b7006a1e
For Ruby 2.6, this means we no longer do anything to the bundled Rubygems (or Bundler), and simply provide whatever comes with the Ruby release as-is, and it is now up to users to explicitly update if they need a newer version than is provided here.
