Bug#1019218: snakeyaml: CVE-2022-25857
tony mancill
tmancill at debian.org
Wed Sep 28 16:30:07 BST 2022
On Tue, Sep 27, 2022 at 05:41:21PM +0200, Salvatore Bonaccorso wrote:
> > snakeyaml 1.31 has been uploaded to unstable. I will start work on
> > 1.33, which addresses other non-DSA CVEs [1].
Hello Salvatore,
After reviewing the remaining CVEs more closely, I believe I missed
documenting CVE-2022-38749 as resolved by the 1.31 upload.
CVE-2022-38749
https://nvd.nist.gov/vuln/detail/CVE-2022-38749 states that the issue
exists in versions up to (excluding) 1.31, implying that it was addressed
in 1.30.
The state of CVE-2022-38752 is more nuanced.
CVE-2022-38752
https://nvd.nist.gov/vuln/detail/CVE-2022-38752 states that the issue
exists in versions up to (excluding) 1.32, implying that it was addressed
in 1.31. However, upstream [1] claims this as a false-positive and
has addressed it by adding a unit-test [2] in 1.32.
Therefore, I don't believe version 1.31 is actually impacted. However,
in order to keep the security scanners happy and because upstream has
done a lot of code reformatting between 1.31 and 1.33 (which would make
porting future patches more difficult), I still intend update 1.33 after
completing the usual vetting (r-deps build, japi-compliance-checker
check, etc.)
Thank you,
tony
[1] https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081#comment-64048637
[2] https://bitbucket.org/snakeyaml/snakeyaml/commits/481078991274c1c8a0a550634164a230b4c23334
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20220928/f3a640f4/attachment.sig>
More information about the pkg-java-maintainers
mailing list