Bug#1019218: snakeyaml: CVE-2022-25857
tony mancill
tmancill at debian.org
Tue Sep 27 16:06:58 BST 2022
On Mon, Sep 05, 2022 at 09:48:33PM +0200, Salvatore Bonaccorso wrote:
> Source: snakeyaml
> Version: 1.29-1
> Severity: important
> Tags: security upstream
> Forwarded: https://bitbucket.org/snakeyaml/snakeyaml/issues/525
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for snakeyaml.
>
> CVE-2022-25857[0]:
> | The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable
> | to Denial of Service (DoS) due missing to nested depth limitation for
> | collections.
snakeyaml 1.31 has been uploaded to unstable. I will start work on
1.33, which addresses other non-DSA CVEs [1].
Cheers,
tony
[1] https://security-tracker.debian.org/tracker/source-package/snakeyaml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20220927/1010590b/attachment.sig>
More information about the pkg-java-maintainers
mailing list