[Git][security-tracker-team/security-tracker][master] CVE-2023-33460 does not affect ruby-yajl

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9513f0d4 by Tobias Frost at 2023-07-05T17:54:17+02:00
CVE-2023-33460 does not affect ruby-yajl

ruby-yail embeds yajl version 1.0.12 
(https://github.com/brianmario/yajl-ruby/blob/master/ext/yajl/api/yajl_version.h),
vulnerability intdroduced in version 2.0.0 
(https://github.com/lloyd/yajl/commit/cfa9f8f)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3047,10 +3047,12 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 
with use of yajl_tree_parse
        [bookworm] - r-cran-jsonlite <no-dsa> (Minor issue)
        [bullseye] - r-cran-jsonlite <no-dsa> (Minor issue)
        [buster] - r-cran-jsonlite <postponed> (Minor issue; fix only after 
newer releases got a fix)
-       - ruby-yajl <unfixed>
+       - ruby-yajl <not-affected> (ruby-yajl embeds non-affected old version 
of yajl)
        [bookworm] - ruby-yajl <no-dsa> (Minor issue)
        [bullseye] - ruby-yajl <no-dsa> (Minor issue)
        [buster] - ruby-yajl <no-dsa> (Minor issue)
+       NOTE: Introduced in yajl at version 2.0.0 with commit 
https://github.com/lloyd/yajl/commit/cfa9f8f
+       NOTE: ruby-yail embeds yajl version 1.0.12 
(https://github.com/brianmario/yajl-ruby/blob/master/ext/yajl/api/yajl_version.h)
 CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in 
URIParser::parse , ...)
        NOT-FOR-US: Sogou Workflow
 CVE-2023-33381 (A command injection vulnerability was found in the ping 
functionality  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9513f0d40c879bdba6909e72bc63741a78135335

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9513f0d40c879bdba6909e72bc63741a78135335
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits