Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

jruby affected by libyaml CVE-2014-2525? #1612

Closed
jk779 opened this Issue · 4 comments

3 participants

@jk779

Hey,
I'm currently reviewing some servers and rvm installations regarding this issue: https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/

I was curious if a jruby installation (via rvm) is also affected. I've read here that jruby is using an own implementation of libyaml and thus should not have the same bugs.
However I would feel better if you could confirm that jruby is not affected by this issue.

I'm using jruby 1.7.3 (1.9.3p385) 2013-02-21 dac429b on Java HotSpot(TM) 64-Bit Server VM 1.7.0_07-b10 [linux-amd64]

Thanks,
Michael

@mkristian
Collaborator
@mkristian
Collaborator

fixed with 5e74ee2

@mkristian mkristian closed this
@headius
Owner

I just modified the version number to reflect the SnakeYAML version we ship instead of a bogus libyaml number. Hopefully that will reduce confusion in the future.

@headius headius added this to the JRuby 1.7.12 milestone
@headius headius added the packaging label
@jk779

:+1: Thank you :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.