Bug#1019218: snakeyaml: CVE-2022-25857
Salvatore Bonaccorso
carnil at debian.org
Tue Sep 27 16:41:21 BST 2022
Hi Tony,
On Tue, Sep 27, 2022 at 08:06:58AM -0700, tony mancill wrote:
> On Mon, Sep 05, 2022 at 09:48:33PM +0200, Salvatore Bonaccorso wrote:
> > Source: snakeyaml
> > Version: 1.29-1
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://bitbucket.org/snakeyaml/snakeyaml/issues/525
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> >
> > Hi,
> >
> > The following vulnerability was published for snakeyaml.
> >
> > CVE-2022-25857[0]:
> > | The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable
> > | to Denial of Service (DoS) due missing to nested depth limitation for
> > | collections.
>
> snakeyaml 1.31 has been uploaded to unstable. I will start work on
> 1.33, which addresses other non-DSA CVEs [1].
Thank you!
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list