#rubygems-aws on 2014-02-04 — irc logs at freenode.irclog.whitequark.org

2013-11-21 20:19 dwradcliffe changed the topic of #rubygems-aws to: RubyGems.org Ops | Log: http://irclog.whitequark.org/rubygems-aws | https://github.com/rubygems/rubygems-aws

01:00 <dwradcliffe> postmodern: we're using the ubuntu package right now

01:01 <dwradcliffe> postmodern: and we'll be building our own packages soon

01:01 <postmodern> dwradcliffe, awesome

01:01 <dwradcliffe> yeah, rbenv is only used on the jenkins server

01:01 <postmodern> dwradcliffe, and is unattended_updates enabled?

01:01 <dwradcliffe> I don't think so

01:03 <postmodern> dwradcliffe, might want to update and see if libyaml is bumped

01:04 <postmodern> it should be at libyaml-0.1.4-3, which contains the security patch

01:04 <postmodern> if it's been updated, also restart rubygems.org

01:05 <postmodern> this is potentially a very epic vulnerability for anything that handles yaml

01:06 <dwradcliffe> fun

01:06 <dwradcliffe> let me check

01:11 <dwradcliffe> I don't see a new package

01:14 <dwradcliffe> looks like it's not out yet http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6393.html

01:17 <postmodern> ouch

01:32 <postmodern> dwradcliffe, what's the plan to mitigate this before an exploit gets written?

01:33 <postmodern> dwradcliffe, manually install the debian package, wait for the libyaml-0.1.5 package, wait for canonical?

10:20 postmodern has quit [Quit: Leaving]

14:03 <dwradcliffe> samkottler: any chance we could get our builds up and running this week?

15:35 seanlinsley has quit [Quit: …]

16:19 seanlinsley has joined #rubygems-aws

16:20 seanlinsley has quit [Client Quit]

16:20 seanlinsley has joined #rubygems-aws

16:34 mocara1 has joined #rubygems-aws

16:37 mocara2 has joined #rubygems-aws

16:38 mocara1 has quit [Ping timeout: 250 seconds]

16:49 mocara2 has quit [Quit: Leaving.]

19:46 mocara1 has joined #rubygems-aws

19:49 mocara2 has joined #rubygems-aws

19:51 mocara1 has quit [Ping timeout: 245 seconds]

19:56 mocara2 has quit [Quit: Leaving.]

20:16 mocara1 has joined #rubygems-aws

22:40 mocara1 has quit [Quit: Leaving.]

22:43 postmodern has joined #rubygems-aws

22:43 <postmodern> good news everybody, ubuntu finally updated libyaml

22:43 <postmodern> highly suggest you apt-get update and restart rubygems.org to load the new libyaml

22:45 <dwradcliffe> awesome

22:50 <dwradcliffe> postmodern: updating the package and restarting is enough?

22:51 <postmodern> dwradcliffe, yeah

22:51 <postmodern> dwradcliffe, the vuln is in libyaml, which psych links to

22:51 <dwradcliffe> ok

22:51 <postmodern> dwradcliffe, so a restart should pull in the new libyaml code

22:54 <dwradcliffe> done

22:55 <dwradcliffe> any good way to verify?

22:59 <postmodern> probably just checking that you have the updated ubuntu package installed

22:59 <postmodern> since canonical just patched libyaml, they didn't bump the version

22:59 <postmodern> so Psych::LIBYAML_VERSION will still be 0.1.4

22:59 <dwradcliffe> right

23:00 <postmodern> but now that we got upstream to release 0.1.5, there should be another update soon