I received email from security@heroku.com with that subject on April 3rd, 2014 at 22.55 local time. I was expecting that email. How many of you who have Rails application deployed on Heroku, patched your application by following instructions in security heroku email?
I followed instructions by typing them in my Mac terminal, and found out that instructions are wrong.
First command from email:
heroku run “ruby -rpsych -e \”p Psych.libyaml_version.join(‘.’)\”” -a application_name
should be replace with:
heroku run `ruby -rpsych -e 'p Psych.libyaml_version.join(".")' -a application_name
I do not explicitly use Psych gem so I found out that cmd:
git commit --allow-empty -m “upgrade ruby version”
should be replaced with:
git commit --allow-empty -m 'upgrade ruby version'
I had to upgrade my Ruby from ruby-2.0.0-p247 to ruby-2.0.0-p451. For ruby-2.0.0-p247, libyaml version was 1.4.0 and by upgrading Ruby, I only managed to upgrade libyaml to version 1.5.0. I do not want to upgrade Ruby to ruby-2.1.1 because of following issue.
If you do not parse user yaml input in your application, then this issue does not affect you.
This blog post shows what security risks you should consider when you deploy your application at 3rd party cloud application platform. You can learn more about risk based testing in lecture 2 of BBST test design course.
Labels: security testing
