Your message dated Fri, 30 Sep 2022 15:38:07 +0000 with message-id <e1oei5x-004on8...@fasolo.debian.org> and subject line Bug#1021014: fixed in snakeyaml 1.33-1 has caused the Debian Bug report #1021014, regarding snakeyaml: CVE-2022-38752 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1021014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021014 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: snakeyaml X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for snakeyaml. CVE-2022-38752[0]: | Using snakeYAML to parse untrusted YAML files may be vulnerable to | Denial of Service attacks (DOS). If the parser is running on user | supplied input, an attacker may supply content that causes the parser | to crash by stack-overflow. Fixed in 1.32: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081 (not public) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-38752 https://www.cve.org/CVERecord?id=CVE-2022-38752 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: snakeyaml Source-Version: 1.33-1 Done: tony mancill <tmanc...@debian.org> We believe that the bug you reported is fixed in the latest version of snakeyaml, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1021...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill <tmanc...@debian.org> (supplier of updated snakeyaml package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 30 Sep 2022 07:52:55 -0700 Source: snakeyaml Architecture: source Version: 1.33-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: tony mancill <tmanc...@debian.org> Closes: 1021014 Changes: snakeyaml (1.33-1) unstable; urgency=medium . * Team upload. * New upstream version 1.33 (Closes: #1021014) - CVE-2022-38752 was deemed a false-positive by upstream and marked as resolved via a unit-test in 1.32 (https://bitbucket.org/snakeyaml/snakeyaml/issues/531/) * Add debian/README.source to document manual tarball handling Checksums-Sha1: 229a0896b6415f5fb0aaf30e658c6b9eacd3374d 2445 snakeyaml_1.33-1.dsc b2968dd878868d643157cda19ab8729a2a7f82dd 291972 snakeyaml_1.33.orig.tar.xz ec24fe74ff515533c6207d4ceeea5626b13a4817 10152 snakeyaml_1.33-1.debian.tar.xz 0fe161ebe31926aa06a4587085c5e74c794a864a 14149 snakeyaml_1.33-1_amd64.buildinfo Checksums-Sha256: afcf08aebd3d1f17223344b07028c77e41d74daddca7204c7d5bc1a2d80f2f21 2445 snakeyaml_1.33-1.dsc ae0817543e96991fed3460b510f1683fbb491f0863e3b76f39f809c175d36609 291972 snakeyaml_1.33.orig.tar.xz 145b8c5d71e81274db4f8832c7e14780e72efe6f9b48854880b32525d4e654b6 10152 snakeyaml_1.33-1.debian.tar.xz 6e159a03030513cf22263f444b8cdc9e2496d0d9445246ab565058be5b0ad070 14149 snakeyaml_1.33-1_amd64.buildinfo Files: dbf3d7b99137316d8542ad0e7e55948f 2445 java optional snakeyaml_1.33-1.dsc 15b9a3a88a1db9790f86f2463dfba2c1 291972 java optional snakeyaml_1.33.orig.tar.xz a7f038854dff543d2105fc9c9bd40cbb 10152 java optional snakeyaml_1.33-1.debian.tar.xz 4cbbf473c478f60397b15cdb4fb2b67a 14149 java optional snakeyaml_1.33-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmM3BdgUHHRtYW5jaWxs QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZ/VQ//Yn3VPmk9o5fuqhpDgJJ8QvH6Wnev LvrK1uZNIW5Du+BKFhB7lKLGL/nhwuPVeMcJWtMkMoQYD6GTRi4vliN1wEtfVS9E G6N8el/MZebof8TB+tezT1AkaG8lozS0aesvO1C4RJhMbNnhlhg3eSVwWswTzRMG cfFwtyINNncX6gx57yM4g+SX9wZ5H9izbHB8laSo4gRj6DcJT/3xkE6o7tCvUY0I cYMjyd4+A/4+af6u2XToHSbymm5p17DQT4iDf2IfWjainGwgnmsPwQGt+RA22KAp FxBc2A9tqaji5mKoITtc/JF65XrsAtqNx5t+hMKEsaDw7yz7EVAuRAQD+2+zzIM+ 3ZBoIb81XxWeZMTETaxSpoR9JUUA/9j9Vsn9cF4lzZP1yx32WYYj53oBf/Ht3IJc YVU3x7bqPK/YV93S2Y7bFiTdMHZ3fFmFXXx6Yt/2i0KXyBFslFD2s37LXZ2teGGV BnP3RRyA96/zmObrWlWkL7Tl2yn9mxW6H59+Wv72rf6eVGSbjxwREf3bVINTlJYi 5xrqzsP6XDIngUUIDWUhaXAGzWqsDkKynrw/aSAepbVFS1LLYVW7c8a7qCJwcYRT lRd+LF/PF6NZZgNjs7wPZf9JdDXa9Z6QicUq/68itzMBQ+O/Zc+3Lj8DKTCG+e7e MXpNMNjuAXXFt/U= =W4+S -----END PGP SIGNATURE-----
--- End Message ---
