1 files changed, 11 insertions, 2 deletions

diff --git a/lib/bundler/fetcher.rb b/lib/bundler/fetcher.rb
index 5c1eac415e..08d1ee3437 100644
--- a/lib/bundler/fetcher.rb
+++ b/lib/bundler/fetcher.rb
@@ -81,7 +81,7 @@ module Bundler
                   :HTTPRequestURITooLong, :HTTPUnauthorized, :HTTPUnprocessableEntity,
                   :HTTPUnsupportedMediaType, :HTTPVersionNotSupported].freeze
     FAIL_ERRORS = begin
-      fail_errors = [AuthenticationRequiredError, BadAuthenticationError, AuthenticationForbiddenError, FallbackError]
+      fail_errors = [AuthenticationRequiredError, BadAuthenticationError, AuthenticationForbiddenError, FallbackError, SecurityError]
       fail_errors << Gem::Requirement::BadRequirementError
       fail_errors.concat(NET_ERRORS.map {|e| Net.const_get(e) })
     end.freeze
@@ -139,7 +139,16 @@ module Bundler
 
       fetch_specs(gem_names).each do |name, version, platform, dependencies, metadata|
         spec = if dependencies
-          EndpointSpecification.new(name, version, platform, self, dependencies, metadata)
+          EndpointSpecification.new(name, version, platform, self, dependencies, metadata).tap do |es|
+            unless index.local_search(es).empty?
+              # Duplicate spec.full_names, different spec.original_names
+              # index#<< ensures that the last one added wins, so if we're overriding
+              # here, make sure to also override the checksum, otherwise downloading the
+              # specs (even if that version is completely unused) will cause a SecurityError
+              source.checksum_store.delete_full_name(es.full_name)
+            end
+            source.checksum_store.register(es, [es.checksum]) if source && es.checksum
+          end
         else
           RemoteSpecification.new(name, version, platform, self)
         end