Rebuilt Rubies with libyaml 0.1.6 for CVE-2014-2525
Change effective on 27 March 2014
There was a security incident CVE-2014-2525 with libyaml which exposed a heap-based buffer overflow when using a specially crafted file containing a long sequence of percent-encoded characters in a URL. We’ve recompiled all affected MRI Rubies we support with libyaml 0.1.6 that fixes this issue: 1.9.2, 1.9.3, 2.0.0, 2.1.1. In order to receive this update, just push to your app:
$ git commit -m "update ruby for CVE-2014-2525" --allow-empty
$ git push heroku master
This is not a patchlevel change, only the vendored libyaml version has updated
You can see which version of libyaml your app is using by running:
$ heroku run "ruby -rpsych -e 'p Psych.libyaml_version'" --app sushi
Running `ruby -rpsych -e 'p Psych.libyaml_version'` attached to terminal... up, run.3580
[0, 1, 6]