Question
This is related to the recent libyaml vulnerability (CVE-2014-2525).
I updated psych in my Gemfile to 2.0.5 as suggested, but libyaml version is still 0.1.4 instead of 0.1.6 on my server.
Looks like using latest psych gem doesn't update the libyaml version used by Ruby.
https://stackoverflow.com/questions/22921895
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian2.0.0p353 :001 > Psych.libyaml_version
=> [0, 1, 4]
Apparently libyaml points to the one installed on system. Notice how libyaml-0.so.2 points to /usr/lib/x86_64-linux-gnu/libyaml-0.so.2:
ubuntu@host:~$ find $MY_RUBY_HOME -name psych.so | xargs ldd
linux-vdso.so.1 => (0x00007fff22fff000)
libruby.so.2.0 => /home/ubuntu/.rvm/rubies/ruby-2.0.0-p353/lib/libruby.so.2.0 (0x00007fc91a537000)
libyaml-0.so.2 => /usr/lib/x86_64-linux-gnu/libyaml-0.so.2 (0x00007fc91a30e000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc919f4d000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fc919d30000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fc919b28000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc919923000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fc9196ea000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fc9193ee000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc91abbf000)
/usr/lib/x86_64-linux-gnu/libyaml-0.so.2 is installed by libyaml-0-2 package as shown below:
ubuntu@host:~$ dpkg -S /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
libyaml-0-2: /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
If I understand it correctly, that means Ruby is dynamically linking libyaml to the one installed by APT.
Ubuntu has released a patch that fixed the vulnerability and that patch is already installed. The version of libyaml is still 0.1.4 though.
So based on that, the vulnerability seems to already be fixed on my server. Am I right? Is there any way to test that the vulnerability has been fixed?
Solution
I figured that ldd only checks for dynamically linked libraries. If it's statically linked, it won't be listed. So that means the vulnerability is fixed.
If you have compiled nginx yourself, you may have statically linked the openssl libraries. The ldd test will reveal no dependencies on the operating system libssl.so library.
http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/
