Bug#1030046: Document snakeyaml security expectations
Markus Koschany
apo at debian.org
Mon Jan 30 21:15:47 GMT 2023
Hi,
Am Montag, dem 30.01.2023 um 18:44 +0100 schrieb Moritz Muehlenhoff:
>
> Could we please add a README.Debian.security with something like the
> following
> to make this also visible to users?
>
> ----
> Note that snakeyaml isn't designed to operate on YAML data coming from
> untrusted
> sources, in such cases you need to apply sanitising/exception handling
> yourself.
>
> Please see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md
> for additional information.
> ----
Sure, that's doable. But how do we treat the current and new CVE in stable and
oldstable releases? no-dsa, ignored or keep them open until upstream eventually
fixes them?
Cheers,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20230130/409b8ae4/attachment.sig>
More information about the pkg-java-maintainers
mailing list