Rebuilt Rubies with new libyaml for CVE-2013-6393
Change effective on 04 February 2014
Yesterday, there was a security incident CVE-2013-6393 with libyaml which exposed a heap-based buffer overflow when parsing YAML tags. We’ve recompiled all affected MRI Rubies we support with libyaml 0.1.5 that fixes this issue: 1.9.2, 1.9.3, 2.0.0, 2.1.0. In order to receive this update, just push to your app:
$ git commit -m "update ruby for CVE-2013-6393" --allow-empty
$ git push heroku master
This is not a patchlevel change, only the vendored libyaml version has updated
You can see which version of libyaml your app is using by running:
$ heroku run "ruby -rpsych -e 'p Psych.libyaml_version'" --app sushi
Running `ruby -rpsych -e 'p Psych.libyaml_version'` attached to terminal... up, run.3580
[0, 1, 5]