Forward Thinking CabForward

Security Vulnerability Announced in the Psych Gem

The Heroku Ruby Team has provided instructions on how to repair the security vulnerability announced with the libyaml library used in the Psych gem. This applies to all Ruby (MRI) applications on Heroku. This vulnerability could lead to arbitrary code execution when parsing YAML. To ensure you are running on the patched version of ruby, please follow the steps below.

Check to See if You’re Affected

Run the following on your app:

$ heroku run “ruby -rpsych -e \”p Psych.libyaml_version.join(‘.’)\”” -a

If you see the following error message, then you are not vulnerable and can ignore the rest of these steps:

:29:in `require’: no such file to load — psych (LoadError)
from :29:in `require’

If you are using Psych, the command will return a version number. If the version returned is less than 0.1.6 you are vulnerable. Please follow the instructions below.

If you do not explicitly use the Psych Gem:
If you don’t explicitly use the Psych gem and you’re on Ruby 1.9.2+, you’ll need to push a new commit to your app, which will cause a deploy and update your version of ruby automatically. If you don’t want to push any actual changes, this commit can be empty:

$ git commit –allow-empty -m “upgrade ruby version”

$ git push heroku master

If you use the Psych Gem < v2.0.5 If you’re using the Psych gem in your Gemfile, update Psych to 2.0.5 which includes libyaml 0.1.6. Change the Psych gem line to: gem ‘psych’, ‘~> 2.0.5’

Then update your gems, commit, and push.

$ bundle update psych

$ git add Gemfile Gemfile.lock

$ git commit -m “update libyaml to 0.1.6, CVE-2014-2525”

$ git push heroku master

If you have any questions, contact Heroku