Update Ruby's libyaml to 0.1.7 for CVE-2014-9130

Change effective on 17 November 2016

Ruby on Heroku was affected by CVE-2014-9130. The following Rubies have been compiled with libyaml 0.1.7 to mitigate this issue:

  • 2.3.2
  • 2.2.6
  • 2.1.9
  • 2.1.10

If you’ve deployed your app with 2.3.2 or 2.2.6, they’re already using libyaml 0.1.7.

Ruby 2.1.9 and 2.1.10 were released originally with an older version of libyaml which was affected. As of now, they’ve been recompiled with libyaml 0.1.7. Doing a deploy of these versions will get the libyaml needed.

If you’re using an older version of Ruby 2.3.x, 2.2.x or 2.1.x, it’s strongly recommended you upgrade to the latest TEENY.

If your application is using the psych gem, upon next push your bundler cache will clear so psych can recompile against libyaml 0.1.7.