Merge rubygems-2.6.14 changes.

  It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60149 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 3 insertions, 2 deletions

diff --git a/lib/rubygems.rb b/lib/rubygems.rb
index d819bdee02..c8f43e3805 100644
--- a/lib/rubygems.rb
+++ b/lib/rubygems.rb
@@ -10,7 +10,7 @@ require 'rbconfig'
 require 'thread'
 
 module Gem
-  VERSION = "2.6.13"
+  VERSION = "2.6.14"
 end
 
 # Must be first since it unloads the prelude from 1.9.2
@@ -690,7 +690,7 @@ An Array (#{env.inspect}) was passed in from #{caller[3]}
 
     unless test_syck
       begin
-        gem 'psych', '>= 1.2.1'
+        gem 'psych', '>= 2.0.0'
       rescue Gem::LoadError
         # It's OK if the user does not have the psych gem installed.  We will
         # attempt to require the stdlib version
@@ -714,6 +714,7 @@ An Array (#{env.inspect}) was passed in from #{caller[3]}
     end
 
     require 'yaml'
+    require 'rubygems/safe_yaml'
 
     # If we're supposed to be using syck, then we may have to force
     # activate it via the YAML::ENGINE API.