Important: ruby193-libyaml SCL Security Update

Metadata

medium
6.8
ruby193-libyaml-0.1.4-5.1.el6.centos.alt.src.rpm, ruby193-libyaml-0.1.4-5.1.el6.centos.alt.x86_64.rpm, ruby193-libyaml-devel-0.1.4-5.1.el6.centos.alt.x86_64.rpm
CVE-2013-6393, CVE-2014-2525
rhn.redhat.com, lists.centos.org
2014-05-21
2017-07-27 19:06
ALAS-2014-321
ALAS-2014-324
ALAS-2014-291
CVE-2014-2525 libyaml
CVE-2014-2525 libyaml-libyaml-perl
CVE-2013-6393 libyaml
CVE-2013-6393 libyaml-libyaml-perl
CVE-2013-6393
CVE-2014-2525
2017-04-01 19:07
2017-03-23 17:03
2017-01-05 20:11

Description


Updated ruby193-libyaml packages that fix two security issues are now
available for Red Hat Software Collections 1.

The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

YAML is a data serialization format designed for human readability and
interaction with scripting languages. LibYAML is a YAML parser and emitter
written in C.

A buffer overflow flaw was found in the way the libyaml library parsed URLs
in YAML documents. An attacker able to load specially crafted YAML input to
an application using libyaml could cause the application to crash or,
potentially, execute arbitrary code with the privileges of the user running
the application. (CVE-2014-2525)

An integer overflow flaw was found in the way the libyaml library handled
excessively long YAML tags. An attacker able to load specially crafted YAML
input to application using libyaml could cause the application to crash or,
potentially, execute arbitrary code with the privileges of the user running
the application. (CVE-2013-6393)

Red Hat would like to thank oCERT for reporting the CVE-2014-2525 issue.
oCERT acknowledges Ivan Fratric of the Google Security Team as the original
reporter. The CVE-2013-6393 issue was discovered by Florian Weimer of the
Red Hat Product Security Team.

All ruby193-libyaml users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. All running
applications linked against the libyaml library must be restarted for this
update to take effect.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
6 ruby193-libyaml^alt ruby193-libyaml-0.1.4-5.1.el6.centos.alt.src.rpm
ruby193-libyaml^alt ruby193-libyaml-0.1.4-5.1.el6.centos.alt.x86_64.rpm
ruby193-libyaml-devel^alt ruby193-libyaml-devel-0.1.4-5.1.el6.centos.alt.x86_64.rpm