Re: CVE-2023-33460, ruby-yajl affected?
Thanks all for the discussion. @Tobias, thanks for marking the CVE in the list. Best regards Anton Am Mi., 5. Juli 2023 um 17:56 Uhr schrieb Tobias Frost : > On Wed, Jul 05, 2023 at 09:06:15AM +, Bastien Roucaričs wrote: > > Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit : > > > Hello, > > > > > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl > > > is affected. There is no direct dependency on yajl, where the > vulnerability > > > was detected. > > ruby-yajl include a old version of yajl 1.01.12 > > > > The vuln code was introduced by > https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb > in version 2.1.0 in 2010 > > This matches my investation, however, a small correction: This commit is > already part of version 2.0.0. > > I've added note in data/CVE/list accordingly. > > -- > Cheers, > tobi > >
Re: CVE-2023-33460, ruby-yajl affected?
On Wed, Jul 05, 2023 at 09:06:15AM +, Bastien Roucariès wrote: > Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit : > > Hello, > > > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl > > is affected. There is no direct dependency on yajl, where the vulnerability > > was detected. > ruby-yajl include a old version of yajl 1.01.12 > > The vuln code was introduced by > https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb > in version 2.1.0 in 2010 This matches my investation, however, a small correction: This commit is already part of version 2.0.0. I've added note in data/CVE/list accordingly. -- Cheers, tobi
Re: CVE-2023-33460, ruby-yajl affected?
Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit : > Hello, > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl > is affected. There is no direct dependency on yajl, where the vulnerability > was detected. ruby-yajl include a old version of yajl 1.01.12 The vuln code was introduced by https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010 Now the question is why this package use a so old version Bastien > > Should ruby-yajl be unmarked as affected by this CVE? > > Thank you > > Anton >