-
-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
safe_yaml 1.0.2 warning #2207
Comments
This is consistent with the new release's handling of CVE-2014-2525 (see dtao/safe_yaml#56). You need to re-install libyaml to 0.1.6 and (possibly) reinstall your Ruby. /cc @dtao |
Well, nothing works for me. I even re-installed Ruby and everything and I still get that warning when running Jekyll. |
That's super weird. Can you comment on the safe_yaml issue I linked to above? I believe it would be beneficial – I certainly don't want these noisy warnings if there is nothing to fear. You re-installed libyaml and everything? Hm. |
I did install everything from scratch after deleting my Ruby folder and everything. I also did
|
Yep, I see this as well. Reinstalling psych doesn't clear it. Suggestions on what to test? I'm running: ruby 2.1.0p0 (2013-12-25 revision 44422) and jekyll [x86_64-darwin12.0] |
After some screwing around,
fixed it. Now the right |
This is honestly a bit of an unfortunate mess, which I haven't fully figured out yet. If you're using RVM, it seems updating the psych gem affects the current Ruby, which fixes the problem, unless you're using Bundler, in which case you also need to add If you have Ruby installed system-wide, on the other hand, I'm not sure updating the psych gem accomplishes anything. I could be wrong about that. However, if you're using Ubuntu, updating the libyaml-0-2 package introduces a backported fix which SafeYAML won't detect (see dtao/safe_yaml#57). My understanding is that if you are using the latest version of RVM, the new autolibs feature will compile Ruby with the libyaml fix for you (hence the fix that @boyanpenkov just mentioned). I could be wrong about that, too. What I just wrote is basically the sum of my rough memory of little spats of troubleshooting I've had time to put in here and there over the past couple days. It could be inaccurate in the details; but what I am confident about is that there are unfortunate inconsistencies in how to resolve this issue between systems. This is something I obviously need to figure out and fix (by providing a more helpful warning message, where appropriate) in the near future. The good news is that for now, if you just want to get rid of the warning, it's quite easy: require safe_yaml 1.0.1 instead of 1.0.2. The two should be functionally equivalent except for this warning. |
@dtao , I concur with this -- my confusion arose from the fact that I had two version of psych installed (2.0.5 and 2.0.2) and jekyll was reading the wrong one. Reinstalling the whole thing did stop the warning from coming up, but I'm confused as to how it solved the problem. Still, I'm fine running my setup as is. Thanks for your help! |
It seems to be a safe_yaml issue to me – I don't think we'd restrict to 1.0.1 in a new release because this warning has value. We can use this issue to track the safe_yaml troubles people have. |
I had this problem as well, after chatting with the RVM people on IRC they suggested |
So everyone solves the issue with rvm. But what about people without rvm? I re-installed everything but I still get the warning myself. I think the only workaround for me is this: gem uninstall safe_yaml
gem install safe_yaml -v "=1.0.1" The problem is that with a |
what are you using to install ruby? |
@fabianrbz: I use Railsinstaller. |
This isn't solvable on Windows it seems for the time being, short of compiling Ruby yourself (something that rvm makes very easy to do... on Linux.). Both RailsInstaller and the RubyInstaller packages are precompiled. Keep an eye out for an updated version of Ruby and it should hopefully resolve itself when the next patchlevel release is made. |
@XhmikosR regarding your concerns about gem update, my best suggestion is to start using and loving Bundler. That'll solve that problem straight up. |
@mscharley: I don't feel that that is a solution for me. The fact is that before safe_yaml v1.0.2, I had no issues; I don't see why I'd need to change the way I use packages instead of having this fixed upstream. As for Railsinstaller, I don't see how it's even related; it doesn't ship safe_yaml... safe_yaml is installed when I install Jekyll on my system. |
@XhmikosR it doesn't ship safe_yaml, it does ship the C YAML library that safe_yaml uses however which is where the issue actually is. Not sure why, but the vendored version doesn't seem to work for me either (using RubyInstaller). |
OK, that makes sense then. So what we need is a new Ruby version and after that a new Railsinstaller version. I already made a PR for the updated libraries, but there's no patched 1.9.3 Ruby version. I only find v1_9_3_545. |
This seems fixed in safe_yaml 1.0.3, thanks @dtao! |
Confirmed fixed in windows by installing safe_yaml ( |
Thanks all. It works. |
I'm using Jekyll v1.5.1 and after today's safe_yaml update I get
I did install psych like the error message says but I still get that warning every time I run jekyll.
The text was updated successfully, but these errors were encountered: