Issue #9482 has been updated by Hal Brodigan.


The short-term solution would be to backport the updates to psych's vendored libyaml 0.1.4. The long-term solution is to cease vendoring libyaml and compile against the system's libyaml. Eitherway, I prefer that Ruby does not ship with vulnerable code. ;)

----------------------------------------
Backport #9482: backport r44809 and r44811
https://bugs.ruby-lang.org/issues/9482#change-45002

* Author: Hiroshi SHIBATA
* Status: Rejected
* Priority: Normal
* Assignee: Yui NARUSE
* Category: 
* Target version: 
* ruby -v: ruby 2.1.1p15 (2014-02-02 revision 44794)
----------------------------------------
ref. [CVE-2013-6393](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076)



-- 
http://bugs.ruby-lang.org/