I'm currently reviewing some servers and rvm installations regarding this issue: https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/
I was curious if a jruby installation (via rvm) is also affected. I've read here that jruby is using an own implementation of libyaml and thus should not have the same bugs.
However I would feel better if you could confirm that jruby is not affected by this issue.
I'm using jruby 1.7.3 (1.9.3p385) 2013-02-21 dac429b on Java HotSpot(TM) 64-Bit Server VM 1.7.0_07-b10 [linux-amd64]
jruby 1.7.3 (1.9.3p385) 2013-02-21 dac429b on Java HotSpot(TM) 64-Bit Server VM 1.7.0_07-b10 [linux-amd64]
jruby does not use libyaml though with
jruby -r yaml -e 'puts Psych::LIBYAML_VERSION'
you will see 0.1.4 which is just hard coded value in the jruby java
implementation of psych. I guess it would make sense to 'update' things on
the jruby side for the next release.
fixed with 5e74ee2
I just modified the version number to reflect the SnakeYAML version we ship instead of a bogus libyaml number. Hopefully that will reduce confusion in the future.
👍 Thank you :)