jruby affected by libyaml CVE-2014-2525? #1612

jk779 opened this Issue Apr 7, 2014 · 4 comments


None yet

3 participants

jk779 commented Apr 7, 2014

I'm currently reviewing some servers and rvm installations regarding this issue: https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/

I was curious if a jruby installation (via rvm) is also affected. I've read here that jruby is using an own implementation of libyaml and thus should not have the same bugs.
However I would feel better if you could confirm that jruby is not affected by this issue.

I'm using jruby 1.7.3 (1.9.3p385) 2013-02-21 dac429b on Java HotSpot(TM) 64-Bit Server VM 1.7.0_07-b10 [linux-amd64]



jruby does not use libyaml though with

jruby -r yaml -e 'puts Psych::LIBYAML_VERSION'

you will see 0.1.4 which is just hard coded value in the jruby java
implementation of psych. I guess it would make sense to 'update' things on
the jruby side for the next release.


fixed with 5e74ee2

@mkristian mkristian closed this Apr 7, 2014
headius commented Apr 7, 2014

I just modified the version number to reflect the SnakeYAML version we ship instead of a bogus libyaml number. Hopefully that will reduce confusion in the future.

@headius headius added this to the JRuby 1.7.12 milestone Apr 7, 2014
@headius headius added the packaging label Apr 7, 2014
jk779 commented Apr 11, 2014

👍 Thank you :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment