Re: CVE-2023-33460, ruby-yajl affected?
Thanks all for the discussion. @Tobias, thanks for marking the CVE in the list. Best regards Anton Am Mi., 5. Juli 2023 um 17:56 Uhr schrieb Tobias Frost : > On Wed, Jul 05, 2023 at 09:06:15AM +, Bastien Roucaričs wrote: > > Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit : > > > Hello, > > > > > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl > > > is affected. There is no direct dependency on yajl, where the > vulnerability > > > was detected. > > ruby-yajl include a old version of yajl 1.01.12 > > > > The vuln code was introduced by > https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb > in version 2.1.0 in 2010 > > This matches my investation, however, a small correction: This commit is > already part of version 2.0.0. > > I've added note in data/CVE/list accordingly. > > -- > Cheers, > tobi > >
Accepted golang-yaml.v2 2.2.2-1+deb10u1 (source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 05 Jul 2023 16:02:33 -0400 Source: golang-yaml.v2 Architecture: source Version: 2.2.2-1+deb10u1 Distribution: buster-security Urgency: medium Maintainer: Debian Go Packaging Team Changed-By: Roberto C. Sánchez Changes: golang-yaml.v2 (2.2.2-1+deb10u1) buster-security; urgency=medium . [ Roberto C. Sánchez ] * Non-maintainer upload by the LTS team. . [ Scarlett Moore ] * Add patch to add logic to catch cases of alias abuse. (Fixes: CVE-2021-4235) * Add patch to improve heuristics preventing CPU/memory abuse. (Fixes: CVE-2022-3064) Checksums-Sha1: e269d58df8988a70d54e82ebab3c8a81494c0d00 2301 golang-yaml.v2_2.2.2-1+deb10u1.dsc 153ef6d5479c73c30052f2a9c6877be66812d48a 70656 golang-yaml.v2_2.2.2.orig.tar.gz 2d28f195152e3fff8a6972c78a70d9250b4c0bad 7432 golang-yaml.v2_2.2.2-1+deb10u1.debian.tar.xz 4604fc4abc78c1128400c52ac6450bbb3cda785b 6026 golang-yaml.v2_2.2.2-1+deb10u1_amd64.buildinfo Checksums-Sha256: c2b2c6d7d0e12cf8fc7a501443e2a5ae23c76f7d809d0105c3a4762e914f88a1 2301 golang-yaml.v2_2.2.2-1+deb10u1.dsc 42c3e4ef9eca2860d22b3c6c5582c6c13fb4b417e5ebc1acc56ee5e2c4ddcaff 70656 golang-yaml.v2_2.2.2.orig.tar.gz 820fe7e47791d1971797e76e589b02b2989ad8227838b0a6bbb8905e60572ead 7432 golang-yaml.v2_2.2.2-1+deb10u1.debian.tar.xz 767e1df6a944b41f47bbb6d132dbde65e27eb2cc1147353a7fc16c99151f9211 6026 golang-yaml.v2_2.2.2-1+deb10u1_amd64.buildinfo Files: 650e2bb5c228b0241d1011eacc9075c5 2301 devel optional golang-yaml.v2_2.2.2-1+deb10u1.dsc d6f6163b289957b4fcab6d2e70756090 70656 devel optional golang-yaml.v2_2.2.2.orig.tar.gz b0c10258cf448cfef9eb491b9341d5d4 7432 devel optional golang-yaml.v2_2.2.2-1+deb10u1.debian.tar.xz a539b88e01f4de8ed249c435a2b0dfb8 6026 devel optional golang-yaml.v2_2.2.2-1+deb10u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmSl1wYACgkQldFmTdL1 kUIZoA/9Fe4Vk/mPI10V+5xewyeKUNT5sjUtsopj/tQQyddttfZEJQTa7oDNoDTa oNj3wL8o+TESZn1HmkCWtFPXSB9/AQ/ylbuFXjh2/oggZF0BHZv74MyEkuFrv4+9 6ZnWXgfbOlMzvmT2IXF9+hH1cLB0njkGyPYCrr9pOy+2iDzVG0+/zjAQnm74NGsj uoNAUOaC0LeELbE5m4iUVe0/VQPzHZmh5QIh6gd9YLGOfJtv8nBPjEqk+yDslrvQ KyORO8p5uMYDJZk9y2TIHrv9m0veU4H+6+HP7c9R/0KzuwVLVl+gMGaM2qA6NdI0 WFg0Pn0BN2sBhUbSPLC14c7XqQKr2x/mL0bbiED2fpwaySWtZErXHWZ63CyNQq+s 8MEQnOvySZN4/nYSNrSmc2qy6dxFkbt+nU7Re998Cl7LiThw+SSARoMoX/nTE8sD zYrxsrp2qrpnrSpMnmp4h2TE8f1eKfbIjLFS/gRouS5qOqza+egSht7R+duo386S Gks4nRiIT7Ije/+TarR4DNgCvV9dk0D0aHF2uIxcR4/toaWcaHM9b3nvp2SAXr5S Np2scHYZNcVvF64ktK2l9yGqTgjIsn5rMJdsR1nhiKYbnk4d30K4ifYcqkIsbE6D 0Xo91u+yFEqJKrEjPvL9dYbCGOWZp5GPTeAIRlbojH/SpC9Nids= =sYwW -END PGP SIGNATURE-
[SECURITY] [DLA 3479-1] golang-yaml.v2 security update
- Debian LTS Advisory DLA-3479-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Roberto C. Sánchez July 05, 2023 https://wiki.debian.org/LTS - Package: golang-yaml.v2 Version: 2.2.2-1+deb10u1 CVE ID : CVE-2021-4235 CVE-2022-3064 Two denial of service vulnerabilities have been discovered in golang-yaml.v2, a library which provides YAML support for the Go language. CVE-2021-4235 Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector. CVE-2022-3064 Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. Thanks to Scarlett Moore for working on preparing this update. For Debian 10 buster, these problems have been fixed in version 2.2.2-1+deb10u1. We recommend that you upgrade your golang-yaml.v2 packages. For the detailed security status of golang-yaml.v2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/golang-yaml.v2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Re: CVE-2023-33460, ruby-yajl affected?
On Wed, Jul 05, 2023 at 09:06:15AM +, Bastien Roucariès wrote: > Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit : > > Hello, > > > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl > > is affected. There is no direct dependency on yajl, where the vulnerability > > was detected. > ruby-yajl include a old version of yajl 1.01.12 > > The vuln code was introduced by > https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb > in version 2.1.0 in 2010 This matches my investation, however, a small correction: This commit is already part of version 2.0.0. I've added note in data/CVE/list accordingly. -- Cheers, tobi
Re: CVE-2023-33460, ruby-yajl affected?
Am 5. Juli 2023 04:52:48 UTC schrieb Anton Gladky : >Hello, > >I am looking into CVE-2023-33460 and I am not sure that ruby-yajl >is affected. There is no direct dependency on yajl, where the vulnerability >was detected. > >Should ruby-yajl be unmarked as affected by this CVE? > >Thank you > >Anton this matches my analysis: rubi-yajl is not affected
Re: CVE-2023-33460, ruby-yajl affected?
Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit : > Hello, > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl > is affected. There is no direct dependency on yajl, where the vulnerability > was detected. ruby-yajl include a old version of yajl 1.01.12 The vuln code was introduced by https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010 Now the question is why this package use a so old version Bastien > > Should ruby-yajl be unmarked as affected by this CVE? > > Thank you > > Anton >
