Please bump libyaml to 0.1.6 due to CVE-2014-2525
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libyaml (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Please bump libyaml to 0.1.6 due to CVE-2014-2525.
Heap-based buffer overflow in the yaml_parser_
Except many other possible attack vectors, libyaml is a rather standard dependency for Ruby on Rails apps (the framework rely on YAML). Shipping insecure library can obviously lead to many unwanted problems.
http://
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libyaml-0-2 0.1.4-3ubuntu2
ProcVersionSign
Uname: Linux 3.13.0-16-generic x86_64
NonfreeKernelMo
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
CurrentDesktop: GNOME
Date: Thu Apr 10 16:39:39 2014
Dependencies:
gcc-4.9-base 4.9-20140303-
libc6 2.19-0ubuntu2
libgcc1 1:4.9-20140303-
multiarch-support 2.19-0ubuntu2
InstallationDate: Installed on 2014-03-08 (32 days ago)
InstallationMedia: Ubuntu-GNOME 14.04 "Trusty Tahr" - Alpha amd64 (20140226)
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_
LANG=pl_PL.UTF-8
SHELL=/bin/bash
SourcePackage: libyaml
UpgradeStatus: No upgrade log present (probably fresh install)
CVE References
information type: | Private Security → Public Security |
Changed in libyaml (Ubuntu): | |
importance: | Undecided → Medium |
CVE-2014-2525 was already fixed in 0.1.4-3ubuntu3:
https:/ /launchpad. net/ubuntu/ trusty/ +source/ libyaml/ 0.1.4-3ubuntu3