Actions
Backport #9482
closedUpdated by naruse (Yui NARUSE) about 10 years ago
- Status changed from Open to Rejected
The fix seems half-baked
Updated by postmodern (Hal Brodigan) about 10 years ago
The short-term solution would be to backport the updates to psych's vendored libyaml 0.1.4. The long-term solution is to cease vendoring libyaml and compile against the system's libyaml. Eitherway, I prefer that Ruby does not ship with vulnerable code. ;)
Updated by nagachika (Tomoyuki Chikanaga) about 10 years ago
Just for reference, There are following changesets, r44813, r44815, r44816, r44817 and r44818.
Updated by naruse (Yui NARUSE) about 10 years ago
- Status changed from Rejected to Assigned
Updated by naruse (Yui NARUSE) about 10 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Applied in changeset r45160.
merge revision(s) 44809,44811,44813,44815,44816,44817,44818,44918,45003: [Backport #9482]
* ext/psych/yaml/emitter.c: merge libyaml 0.1.5
* ext/psych/yaml/loader.c: ditto
* ext/psych/yaml/parser.c: ditto
* ext/psych/yaml/reader.c: ditto
* ext/psych/yaml/scanner.c: ditto
* ext/psych/yaml/writer.c: ditto
* ext/psych/yaml/yaml_private.h: ditto
* ext/psych/lib/psych.rb: New release of psych.
* ext/psych/psych.gemspec: ditto
Actions
Like0
Like0Like0Like0Like0Like0Like0