Update Ruby's libyaml to 0.1.7 for CVE-2014-9130
Change effective on 17 November 2016
Ruby on Heroku was affected by CVE-2014-9130. The following Rubies have been compiled with libyaml
0.1.7 to mitigate this issue:
If you’ve deployed your app with
2.2.6, they’re already using libyaml
2.1.10 were released originally with an older version of libyaml which was affected. As of now, they’ve been recompiled with libyaml
0.1.7. Doing a deploy of these versions will get the libyaml needed.
If you’re using an older version of Ruby
2.1.x, it’s strongly recommended you upgrade to the latest TEENY.
If your application is using the
psych gem, upon next push your bundler cache will clear so
psych can recompile against libyaml