Hi, Am Montag, dem 30.01.2023 um 18:44 +0100 schrieb Moritz Muehlenhoff: > > Could we please add a README.Debian.security with something like the > following > to make this also visible to users? > > ---- > Note that snakeyaml isn't designed to operate on YAML data coming from > untrusted > sources, in such cases you need to apply sanitising/exception handling > yourself. > > Please see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md > for additional information. > ----
Sure, that's doable. But how do we treat the current and new CVE in stable and oldstable releases? no-dsa, ignored or keep them open until upstream eventually fixes them? Cheers, Markus
signature.asc
Description: This is a digitally signed message part
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.