Source: snakeyaml Version: 1.33-1 Severity: important Google's oss-fuzz found various cases where snakeyaml triggers an exception on malformed YAML input. These end up blindly being picked by various security web sites (since CVE IDs) were assigned.
This is causing lots of overhead/annoyance for the upstream developers (as voiced in https://bitbucket.org/snakeyaml/snakeyaml/issues/551/snakeyaml-cves-from-oss-fuzz) and they released https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md to document expectations. Could we please add a README.Debian.security with something like the following to make this also visible to users? ---- Note that snakeyaml isn't designed to operate on YAML data coming from untrusted sources, in such cases you need to apply sanitising/exception handling yourself. Please see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md for additional information. ---- Cheers, Moritz
