On Thu, Feb 27, 2020 at 03:16:00PM +0100, Salvatore Bonaccorso wrote: > Source: snakeyaml > Version: 1.25+ds-2 > Severity: important > Tags: security upstream > Forwarded: https://bitbucket.org/asomov/snakeyaml/issues/377 > Control: found -1 1.23-1 > Control: found -1 1.17-1 > > Hi, > > The following vulnerability was published for snakeyaml. > > CVE-2017-18640[0]: > | The Alias feature in SnakeYAML 1.18 allows entity expansion during a > | load operation, a related issue to CVE-2003-1564. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-18640 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640 > [1] https://bitbucket.org/asomov/snakeyaml/issues/377 > [2] > https://bitbucket.org/asomov/snakeyaml/commits/b680ce64971d943083012c04690c0ffa9fea6da4
The upstream issue has been marked as resolved and the links to the proposed resolution returns a 404. I agree that we should have an issue open in the tracker, but I don't see how this is actionable at this time. Cheers, tony