Bug#1030046: Document snakeyaml security expectations

Moritz Muehlenhoff jmm at inutil.org
Mon Feb 6 15:44:30 GMT 2023


On Mon, Jan 30, 2023 at 10:15:47PM +0100, Markus Koschany wrote:
> Hi,
> 
> Am Montag, dem 30.01.2023 um 18:44 +0100 schrieb Moritz Muehlenhoff:
> > 
> > Could we please add a README.Debian.security with something like the
> > following
> > to make this also visible to users?
> > 
> > ----
> > Note that snakeyaml isn't designed to operate on YAML data coming from
> > untrusted
> > sources, in such cases you need to apply sanitising/exception handling
> > yourself.
> > 
> > Please see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md
> > for additional information.
> > ----
> 
> Sure, that's doable. But how do we treat the current and new CVE in stable and
> oldstable releases? no-dsa, ignored or keep them open until upstream eventually
> fixes them?

Good question! How about we ship whatever is currently fixed upstream in LTS/
Bullseye 11.7 and ship such a README.Debian.security alongside, then we can
just as well apply to all further/future snakeyaml issues and mark them as
<unfixed> (unimportant) ?

Cheers,
        Moritz



More information about the pkg-java-maintainers mailing list