Source: yajl
Version: 2.1.0-2
Severity: important
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

The following CVE was published for yajl:

CVE-2023-33460[0]:
There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which
will cause out-of-memory in server and cause crash.

Upstream Issue [1] links to a potential patch [2]

I'm filing this bug as I'm going to fix the issue for ELTS (stretch/jessie)
and then possibly also will NMU for sid, bookworm and bullseye and buster.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

[0] https://security-tracker.debian.org/tracker/CVE-2023-33460

[1] https://github.com/lloyd/yajl/issues/250

[2] 
https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698

-- 
Cheers,
tobi

-- System Information:
Debian Release: 12.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'oldstable-security'), (500, 
'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (100, 
'bullseye-fasttrack'), (100, 'bullseye-backports-staging'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Attachment: signature.asc
Description: PGP signature

Reply via email to