[Bug 1305949] Re: Please bump libyaml to 0.1.6 due to CVE-2014-2525

Sun Oct 22 05:57:57 UTC 2017

** Changed in: libyaml (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libyaml in Ubuntu.
https://bugs.launchpad.net/bugs/1305949

Title:
  Please bump libyaml to 0.1.6 due to CVE-2014-2525

Status in libyaml package in Ubuntu:
  Fix Released

Bug description:
  Please bump libyaml to 0.1.6 due to CVE-2014-2525.

  Heap-based buffer overflow in the yaml_parser_scan_uri_escapes
  function in LibYAML before 0.1.6 allows context-dependent attackers to
  execute arbitrary code via a long sequence of percent-encoded
  characters in a URI in a YAML file.

  Except many other possible attack vectors, libyaml is a rather
  standard dependency for Ruby on Rails apps (the framework rely on
  YAML). Shipping insecure library can obviously lead to many unwanted
  problems.

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: libyaml-0-2 0.1.4-3ubuntu2
  ProcVersionSignature: Ubuntu 3.13.0-16.36-generic 3.13.5
  Uname: Linux 3.13.0-16-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.13.3-0ubuntu1
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Thu Apr 10 16:39:39 2014
  Dependencies:
   gcc-4.9-base 4.9-20140303-0ubuntu3
   libc6 2.19-0ubuntu2
   libgcc1 1:4.9-20140303-0ubuntu3
   multiarch-support 2.19-0ubuntu2
  InstallationDate: Installed on 2014-03-08 (32 days ago)
  InstallationMedia: Ubuntu-GNOME 14.04 "Trusty Tahr" - Alpha amd64 (20140226)
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=pl_PL.UTF-8
   SHELL=/bin/bash
  SourcePackage: libyaml
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libyaml/+bug/1305949/+subscriptions