[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2022-1471,snakeyaml: unimportant

Markus Koschany (@apo) apo at debian.org
Sun Feb 19 16:40:28 GMT 2023



Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8b5ce926 by Markus Koschany at 2023-02-19T17:30:56+01:00
CVE-2022-1471,snakeyaml: unimportant

Snakeyaml is not designed to process untrusted YAML input. This has been
clarified for users in version 1.33-2 with a README.Debian.security file.

See also Debian bug #1030046

- - - - -
823329f4 by Markus Koschany at 2023-02-19T17:33:20+01:00
CVE-2022-41854,snakeyaml: fixed in 1.33-1

According to the Google fuzzer this issue was fixed between 20220911 and
20220912. Version 1.32 was released back then. The first version in Debian was
1.33-1 and I assume this is fixed now. According to the CVE description the
parser would crash by stack overflow. A limit to the nesting depth of YAML
files has been already introduced with other CVE fixes, so that shouldn't be a
problem anymore.

- - - - -
8cada0ea by Markus Koschany at 2023-02-19T17:38:31+01:00
CVE-2022-41854,snakeyaml: Buster is not affected

because this issue was addressed in version 1.23-1+deb10u1. Bullseye will be
fixed with a point update in the near future.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -33392,7 +33392,8 @@ CVE-2022-41856
 CVE-2022-41855
 	REJECTED
 CVE-2022-41854 (Those using Snakeyaml to parse untrusted YAML files may be vulnerable  ...)
-	- snakeyaml <unfixed>
+	- snakeyaml 1.33-1
+	[buster] - snakeyaml 1.23-1+deb10u1
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355
 	TODO: check details
 CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb ...)
@@ -66712,7 +66713,7 @@ CVE-2022-1473 (The OPENSSL_LH_flush() function, which empties a hash table, cont
 CVE-2022-1472 (The Better Find and Replace WordPress plugin before 1.3.6 does not pro ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2022-1471 (SnakeYaml's Constructor() class does not restrict types which can be i ...)
-	- snakeyaml <unfixed>
+	- snakeyaml <unfixed> (unimportant)
 	NOTE: https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
 CVE-2022-1470 (The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 doe ...)
 	NOT-FOR-US: WordPress plugin



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7810985b3197b87328b0961c533dab1911a47e9d...8cada0ea4fb8132e0d35bae7b26fd955f3a1fc5f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7810985b3197b87328b0961c533dab1911a47e9d...8cada0ea4fb8132e0d35bae7b26fd955f3a1fc5f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230219/8bc2a9de/attachment.htm>


More information about the debian-security-tracker-commits mailing list