ruby 1.9.3.484-2ubuntu1.8 throws gem warning
Bug #1763414 reported by
Matthias Baur
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ruby1.9.1 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
After upgrading the ruby1.9.1 package to 1.9.3.484-
root@mbaur-
YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0).
*** LOCAL GEMS ***
root@mbaur-
OS: Ubuntu 14.04.5
CVE References
description: | updated |
To post a comment you must log in.
Hi Mathias, 2ubuntu1. 7 before this did not happen?
so with 1.9.3.484-
I can confirm the issue in a trusty container.
If I go back to the released version: 1=1.9.3. 484-2ubuntu1 libruby1. 9.1=1.9. 3.484-2ubuntu1
$ apt-get install ruby1.9.
things are ok again.
Although it is "only" a warning.
My gems are still listed.
Old:
# gem list
*** LOCAL GEMS ***
hello (0.0.1)
New:
# gem list
YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0).
*** LOCAL GEMS ***
hello (0.0.1)
ruby-psych is only available in much later releases. patches/ CVE-2018- 1000074* .patch fix in commands/ owner_command. rb, test_gem_ commands_ owner_command. rb.
This might be an issue of the latest security fixes.
Especially this might be related:
3 * SECURITY UPDATE: Deserialization untrusted data
4 - debian/
5 lib/rubygems/
6 test/rubygems/
7 - CVE-2018-1000074
I'm marking as an upgrade-regression and subscribe Leo who did the fix.