Installing rails_admin causes SafeYAML warning

StackOverflow https://stackoverflow.com/questions/23256575

Question

After the 'bundle install' command, it seems some old version of libyaml are used (see below). Following the instructions don't work because rails_admin is an engine (I guess). Any idea how to solve this issue?

SafeYAML Warning
  ----------------

  You appear to have an outdated version of libyaml (0.1.5) installed on your system.

  Prior to 0.1.6, libyaml is vulnerable to a heap overflow exploit from malicious YAML payloads.

  For more info, see:
  https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/

  The easiest thing to do right now is probably to update Psych to the latest version and enable
  the 'bundled-libyaml' option, which will install a vendored libyaml with the vulnerability patched:

  gem install psych -- --enable-bundled-libyaml
Was it helpful?

Solution

Just 3 steps:

  1. tell bundler to install psych with specific arguments

    bundle config build.psych --enable-bundled-libyaml

  2. specify a newer version of psych gem in Gemfile(ruby 2.0+ is shipped with psych 2.0.0)

    gem "psych", "~> 2.0.5"

  3. run bundler

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top