Ruby 2.1.4 Released

Ruby 2.1.4 has been released.

This release includes security fixes for the following vulnerabilities:

CVE-2014-8080: Denial of Service XML Expansion
Changed default settings of ext/openssl related to CVE-2014-3566

And there are some bug-fixes….

March 29, 2014

There is an overflow in URI escape parsing of YAML in Ruby. This vulnerability has been assigned the CVE identifier CVE-2014-2525.

Details

Any time a string in YAML with tags is parsed, a specially crafted string can cause a heap overflow which can lead to arbitrary code execution.

For example:

YAML.load <code_from_unknown_source>

Ruby 1.9.3-p0 and above include psych as the default YAML parser. Any versions of psych linked against libyaml <= 0.1.5 are affected.

And, these versions of Ruby bundle an affected version of libyaml:

You can verify the version of libyaml used by running:

$ ruby -rpsych -e 'p Psych.libyaml_version'
[0, 1, 5]

Users who install libyaml to the system are recommended to update libyaml to 0.1.6. When recompiling Ruby, point to the newly updated libyaml:

$ ./configure --with-yaml-dir=/path/to/libyaml

Users without a system libyaml rely on the embedded libyaml and are recommended to update psych to 2.0.5 which vendors libyaml 0.1.6:

$ gem install psych

or, update your Ruby to 2.0.0-p481, 2.1.2 or newer.

Posted by hone and zzak on 29 Mar 2014