Backport #9482
closed
- Status changed from Open to Rejected
The short-term solution would be to backport the updates to psych's vendored libyaml 0.1.4. The long-term solution is to cease vendoring libyaml and compile against the system's libyaml. Eitherway, I prefer that Ruby does not ship with vulnerable code. ;)
Just for reference, There are following changesets, r44813, r44815, r44816, r44817 and r44818.
- Status changed from Rejected to Assigned
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Applied in changeset r45160.
merge revision(s) 44809,44811,44813,44815,44816,44817,44818,44918,45003: [Backport #9482]
* ext/psych/yaml/emitter.c: merge libyaml 0.1.5
* ext/psych/yaml/loader.c: ditto
* ext/psych/yaml/parser.c: ditto
* ext/psych/yaml/reader.c: ditto
* ext/psych/yaml/scanner.c: ditto
* ext/psych/yaml/writer.c: ditto
* ext/psych/yaml/yaml_private.h: ditto
* ext/psych/lib/psych.rb: New release of psych.
* ext/psych/psych.gemspec: ditto
Also available in: Atom
PDF
Like0
Like0Like0Like0Like0Like0Like0