Bug#952683: snakeyaml: CVE-2017-18640
tony mancill
tmancill at debian.org
Sat Feb 29 17:51:32 GMT 2020
On Thu, Feb 27, 2020 at 03:16:00PM +0100, Salvatore Bonaccorso wrote:
> Source: snakeyaml
> Version: 1.25+ds-2
> Severity: important
> Tags: security upstream
> Forwarded: https://bitbucket.org/asomov/snakeyaml/issues/377
> Control: found -1 1.23-1
> Control: found -1 1.17-1
>
> Hi,
>
> The following vulnerability was published for snakeyaml.
>
> CVE-2017-18640[0]:
> | The Alias feature in SnakeYAML 1.18 allows entity expansion during a
> | load operation, a related issue to CVE-2003-1564.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-18640
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
> [1] https://bitbucket.org/asomov/snakeyaml/issues/377
> [2] https://bitbucket.org/asomov/snakeyaml/commits/b680ce64971d943083012c04690c0ffa9fea6da4
The upstream issue has been marked as resolved and the links to the
proposed resolution returns a 404. I agree that we should have an issue
open in the tracker, but I don't see how this is actionable at this
time.
Cheers,
tony
More information about the pkg-java-maintainers
mailing list