Your message dated Thu, 30 Apr 2020 01:56:04 +0000
with message-id <[email protected]>
and subject line Bug#859891: fixed in yaml-cpp 0.6.3-1
has caused the Debian Bug report #859891,
regarding yaml-cpp: CVE-2017-5950
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
859891: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859891
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: yaml-cpp
Version: 0.5.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/jbeder/yaml-cpp/issues/459
Control: clone -1 -2
Control: reassign -2 src:yaml-cpp0.3
Control: found -2 0.3.0-1.1
Control: retitle -2 yaml-cpp0.3: CVE-2017-5950
Hi,
the following vulnerability was published for yaml-cpp.
CVE-2017-5950[0]:
| The SingleDocParser::HandleNode function in yaml-cpp (aka LibYaml-C++)
| 0.5.3 allows remote attackers to cause a denial of service (stack
| consumption and application crash) via a crafted YAML file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
The issue is easily reproducible with the payload provided in the
upstream report, using the parser in util/parse.cpp and reduce the
stack size for easier reprodibility.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5950
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5950
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: yaml-cpp
Source-Version: 0.6.3-1
Done: Simon Quigley <[email protected]>
We believe that the bug you reported is fixed in the latest version of
yaml-cpp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Quigley <[email protected]> (supplier of updated yaml-cpp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 29 Apr 2020 20:24:07 -0500
Source: yaml-cpp
Architecture: source
Version: 0.6.3-1
Distribution: unstable
Urgency: medium
Maintainer: Simon Quigley <[email protected]>
Changed-By: Simon Quigley <[email protected]>
Closes: 859891 870326 918145 918147 919430 919432 958505
Changes:
yaml-cpp (0.6.3-1) unstable; urgency=medium
.
* New upstream release (Closes: #958505).
- Refresh patches.
- BUILD_SHARED_LIBS -> YAML_BUILD_SHARED_LIBS cmake flag.
- Update symbols from amd64 build log.
* Add the following CVE patches:
- fix-CVE-2017-11692.patch
+ Fixes CVE-2017-11692 (Closes: #870326).
- fix-unbounded-recursion-depth.patch
+ Fixes CVE-2017-5950 (Closes: #859891).
+ Fixes CVE-2018-20573 (Closes: #918147).
+ Fixes CVE-2018-20574 (Closes: #918145).
+ Fixes CVE-2019-6285 (Closes: #919432, 919430).
* Migrate to using the debhelper-compat dependency.
* Bump Standards-version to 4.5.0, no changes needed.
* Migrate to debhelper 13.
Checksums-Sha1:
1c3c46e2da4e4bd37a62addbb6f6cdfff0452e94 1910 yaml-cpp_0.6.3-1.dsc
98d98632b3a62fdf1172442f8ad8190fc11cbef7 1398768 yaml-cpp_0.6.3.orig.tar.gz
b120e27ca45b2e0f03569c8222058a9995dd7a5b 9896 yaml-cpp_0.6.3-1.debian.tar.xz
674944ff77e503f96a91572d84bbf1779de2fff1 7225 yaml-cpp_0.6.3-1_source.buildinfo
Checksums-Sha256:
a5f7e645c78cfb5addd85526a974266ce7483c61e8cacff72bce03d925eb59b0 1910
yaml-cpp_0.6.3-1.dsc
77ea1b90b3718aa0c324207cb29418f5bced2354c2e483a9523d98c3460af1ed 1398768
yaml-cpp_0.6.3.orig.tar.gz
eaad5203b2d53f95017883860dbf595c5457e7fafc4c7ed5dc62abe45644b52d 9896
yaml-cpp_0.6.3-1.debian.tar.xz
096956a8aa3c64dbb32c7ba5f3333dc74f9a8391ba3849704a8bec04ddd1ee10 7225
yaml-cpp_0.6.3-1_source.buildinfo
Files:
6a8128dc53ac49e2ba956446aeae937d 1910 devel optional yaml-cpp_0.6.3-1.dsc
b45bf1089a382e81f6b661062c10d0c2 1398768 devel optional
yaml-cpp_0.6.3.orig.tar.gz
77679e67e83f27757eff8821cee2acd2 9896 devel optional
yaml-cpp_0.6.3-1.debian.tar.xz
75f45dc40e73a04c140d77b7fca17986 7225 devel optional
yaml-cpp_0.6.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXHq+og+GMEWcyMi14n8s+EWML6QFAl6qKNgACgkQ4n8s+EWM
L6QH+xAAsm75JpeAJ57ivPqTWGVRBQdcu7/LaPViXUuf9jJY6RnhnKEYIOe2l7gN
PxGE0pIe1z+nWIixqTt7vXDLEHQO9WDbiE9k6efc+LzOqHsi7R4Sf9xJ2k2ueV3z
Ib+j/2WSeU6/+JGLu5H75zGtxxMHad0lXHCRVu8Thu1H6ruI6uJOXE4V5l4sxjfz
wvY2XQPcihqmbLI8NdXhedXjwpgih4JZNfb2FJfN8UiQGoaV7BCaNAdeNPLv64zs
5DcZCoIZwHyLQxXm953fFwlMOua5AYTX1Rl9b06wZkuzo3HLn7hqUTrz9b7iC2KO
E3jLSBXOZexa5MHpPOh4BtUzOcZUFEBIgNWKnGrNGiLIKkEZsc8vJy1b4OzckE8O
3tj5Tn7v+Wk2WPYq/gdfQ/SP6tcMQB6fIfB2Ap2p0BxOBuhHHksn5fhjtgks4GmK
rk6noNg4XD4SfcI+lqiTYBnkZREj7sikBBiqyrRoXiSPJr5jDpgyS6LGVlzrUfo3
zPNXrX8XjxpDB2AkJWYQARPG7p/KDt9Ciyf9iXy0M3tR14GLKv7+ZJO6NZH0KZWu
QUzY8TgOh8UDNPjFGKefX16oTsfw2EE+rv66F218hrU0G5TNZ6dQ4RkPR4yz8Wcr
q2HOHy4+sSKHSXNf1Hz6uhIlUJWzotlt1LuMCN0Kr6ufyZk0sRo=
=tP7p
-----END PGP SIGNATURE-----
--- End Message ---
