*** This bug is a security vulnerability *** Public security bug reported:
Please bump libyaml to 0.1.6 due to CVE-2014-2525. Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file. Except many other possible attack vectors, libyaml is a rather standard dependency for Ruby on Rails apps (the framework rely on YAML). Shipping insecure library can obviously lead to many unwanted problems. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525 ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: libyaml-0-2 0.1.4-3ubuntu2 ProcVersionSignature: Ubuntu 3.13.0-16.36-generic 3.13.5 Uname: Linux 3.13.0-16-generic x86_64 NonfreeKernelModules: nvidia ApportVersion: 2.13.3-0ubuntu1 Architecture: amd64 CurrentDesktop: GNOME Date: Thu Apr 10 16:39:39 2014 Dependencies: gcc-4.9-base 4.9-20140303-0ubuntu3 libc6 2.19-0ubuntu2 libgcc1 1:4.9-20140303-0ubuntu3 multiarch-support 2.19-0ubuntu2 InstallationDate: Installed on 2014-03-08 (32 days ago) InstallationMedia: Ubuntu-GNOME 14.04 "Trusty Tahr" - Alpha amd64 (20140226) ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=pl_PL.UTF-8 SHELL=/bin/bash SourcePackage: libyaml UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: libyaml (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug trusty ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libyaml in Ubuntu. https://bugs.launchpad.net/bugs/1305949 Title: Please bump libyaml to 0.1.6 due to CVE-2014-2525 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libyaml/+bug/1305949/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs