Heroku Changelog Rebuilt Rubies with libyaml 0.1.6 for CVE-2014-2525

Change effective on 27 March 2014

There was a security incident CVE-2014-2525 with libyaml which exposed a heap-based buffer overflow when using a specially crafted file containing a long sequence of percent-encoded characters in a URL. We’ve recompiled all affected MRI Rubies we support with libyaml 0.1.6 that fixes this issue: 1.9.2, 1.9.3, 2.0.0, 2.1.1. In order to receive this update, just push to your app:

$ git commit -m "update ruby for CVE-2014-2525" --allow-empty
$ git push heroku master

This is not a patchlevel change, only the vendored libyaml version has updated

You can see which version of libyaml your app is using by running:

$ heroku run "ruby -rpsych -e 'p Psych.libyaml_version'" --app sushi
Running `ruby -rpsych -e 'p Psych.libyaml_version'` attached to terminal... up, run.3580
[0, 1, 6]