Bug#952683: snakeyaml: CVE-2017-18640
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 29 20:17:50 GMT 2020
Hi Tony,
On Sat, Feb 29, 2020 at 09:51:32AM -0800, tony mancill wrote:
> On Thu, Feb 27, 2020 at 03:16:00PM +0100, Salvatore Bonaccorso wrote:
> > Source: snakeyaml
> > Version: 1.25+ds-2
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://bitbucket.org/asomov/snakeyaml/issues/377
> > Control: found -1 1.23-1
> > Control: found -1 1.17-1
> >
> > Hi,
> >
> > The following vulnerability was published for snakeyaml.
> >
> > CVE-2017-18640[0]:
> > | The Alias feature in SnakeYAML 1.18 allows entity expansion during a
> > | load operation, a related issue to CVE-2003-1564.
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2017-18640
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
> > [1] https://bitbucket.org/asomov/snakeyaml/issues/377
> > [2] https://bitbucket.org/asomov/snakeyaml/commits/b680ce64971d943083012c04690c0ffa9fea6da4
>
> The upstream issue has been marked as resolved and the links to the
> proposed resolution returns a 404. I agree that we should have an issue
> open in the tracker, but I don't see how this is actionable at this
> time.
*sigh*. When I filled the bug I'm pretty sure the referenced commit
*was* not resulting in a 404 :(
Please have a look at
https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c
That is again the respective commit. Looks upstream did convert the
reposiitory.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list