修复:在0.1.6之前,libyaml容易受到恶意YAML有效载荷的堆溢出漏洞利用

前端之家收集整理的这篇文章主要介绍了修复:在0.1.6之前,libyaml容易受到恶意YAML有效载荷的堆溢出漏洞利用前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
添加vcr gem之后运行rspec时,会出现以下错误.简单运行gem安装psych – –enable-bundled-libyaml建议不能解决问题.我使用的是rbenv和 ruby-build,而我使用的是ruby 2.1.1.我要做什么来解决这个问题?
SafeYAML Warning
  ----------------

  You appear to have an outdated version of libyaml (0.1.4) installed on your system.

  Prior to 0.1.6,libyaml is vulnerable to a heap overflow exploit from malicIoUs YAML payloads.

  For more info,see:
  https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/

  The easiest thing to do right now is probably to update Psych to the latest version and enable
  the 'bundled-libyaml' option,which will install a vendored libyaml with the vulnerability patched:

  gem install psych -- --enable-bundled-libyaml

解决方法

首先,您必须更新Ruby-build,他们最近修补了这个安全问题.现在,它安装libyaml 0.1.6来编译Ruby.
$rm -rf ~/.rbenv/plugins/ruby-build
$git clone https://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build

重新编译,重新安装您使用的Ruby版本,2.0.0-p451在我的情况下:

$rbenv install 2.0.0-p451
rbenv: /home/ubuntu/.rbenv/versions/2.0.0-p451 already exists
continue with installation? (y/N) y
Downloading yaml-0.1.6.tar.gz...
-> http://dqw8nmjcqpjn7.cloudfront.net/5fe00cda18ca5daeb43762b80c38e06e
...

它在我的情况下工作.

猜你在找的Ruby相关文章