* Upgrade Ruby version 2.4.9 to 2.4.10, 2.5.7 to 2.5.8, 2.6.5 to 2.6.6, 2.7.0 to 2.7.1
* correct SHA256 hash values for the .tar.xz files
* updating Ruby version/hashes in a few missed files
Stop setting `BUNDLE_PATH`.
All default bundler versions shipped with all supported rubies install
gems to `GEM_HOME` by default, so this shouldn't be a breaking change
and it's a less surprising behavior because it does not deviate from how
bundler is configured by default.
Future versions will probably install locally by default, but that
hasn't happened yet.
I think leaving bundler "unconfigured" also matches the direction of the
recent change where the images no longer explicitly install `bundler` but
simply leave whatever version comes with ruby. Similarly, it makes sense
to me to leave whatever configuration comes by default with `bundler` in
place.
Newer bundler versions install gems to `$GEM_HOME/ruby/<ruby_version>`,
instead of directly to `$GEM_HOME`.
So we need to add the proper paths to `GEM_PATH` and `PATH` so that gems
and their executables are properly found.
Mitigates the following vulnerabilities:
- CVE-2019-16255: A code injection vulnerability of Shell#[] and
Shell#test
- CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
- CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
- CVE-2019-16201: Regular Expression Denial of Service vulnerability
of WEBrick’s Digest access authentication
