Your message dated Sun, 19 Feb 2023 16:04:19 +0000 with message-id <e1ptmal-00ekt1...@fasolo.debian.org> and subject line Bug#1030046: fixed in snakeyaml 1.33-2 has caused the Debian Bug report #1030046, regarding Document snakeyaml security expectations to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1030046: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030046 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: snakeyaml Version: 1.33-1 Severity: important Google's oss-fuzz found various cases where snakeyaml triggers an exception on malformed YAML input. These end up blindly being picked by various security web sites (since CVE IDs) were assigned. This is causing lots of overhead/annoyance for the upstream developers (as voiced in https://bitbucket.org/snakeyaml/snakeyaml/issues/551/snakeyaml-cves-from-oss-fuzz) and they released https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md to document expectations. Could we please add a README.Debian.security with something like the following to make this also visible to users? ---- Note that snakeyaml isn't designed to operate on YAML data coming from untrusted sources, in such cases you need to apply sanitising/exception handling yourself. Please see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md for additional information. ---- Cheers, Moritz
--- End Message ---
--- Begin Message ---Source: snakeyaml Source-Version: 1.33-2 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of snakeyaml, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1030...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated snakeyaml package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 19 Feb 2023 16:28:46 +0100 Source: snakeyaml Architecture: source Version: 1.33-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1030046 Changes: snakeyaml (1.33-2) unstable; urgency=medium . * Team upload. * Declare compliance with Debian Policy 4.6.2. * Add README.Debian.security and explain that snakeyaml is not designed to process YAML input from untrusted sources. (Closes: #1030046) Checksums-Sha1: 74e69a8a828fb7bd7ba975f7e14948cb4edf13ac 2567 snakeyaml_1.33-2.dsc 1b133266942d3c2b4eab85c2bf3c90b913ceb1d5 10384 snakeyaml_1.33-2.debian.tar.xz 6f02a71ee505224de0f03b40f644dc1b224205fe 15381 snakeyaml_1.33-2_amd64.buildinfo Checksums-Sha256: 14d7c43c1d801037b7c900bc693d561c2f6408a57079bc3927a587980817796c 2567 snakeyaml_1.33-2.dsc ad8ed842ae4e7c926b3e322cce93928f71d72fb3a6851ca1731a2546085e778d 10384 snakeyaml_1.33-2.debian.tar.xz dc182dcdf635e645c3cdb39b600629ee622aeb14c19f7441fe4f523463ce71bb 15381 snakeyaml_1.33-2_amd64.buildinfo Files: 92b9f6c7b2a33395914816ab021dd3d4 2567 java optional snakeyaml_1.33-2.dsc 50a6ce40ac0a690b09505c31923e0fdd 10384 java optional snakeyaml_1.33-2.debian.tar.xz 7a7b7c5977746b39a816a0c8486a5748 15381 java optional snakeyaml_1.33-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmPyQkNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkLWMQAMJ2s9PJtPtVVi6T/UplLDe0iBaTsrQL7oUf TuqzpzbsjeJaFlPMNScI0Hb1TUrnTa/WhSIeJXzthxb3sdjN6t+Ogj9QMfKAzVOQ XhDP/DTKR8ocxEoWXuwYAHTteBG3HqOpJO6bJrPv9VkkbuRZJV4RSl8Tz4ertNMj 9Xu4yrZi8SDpXaJIgSLDjD4FO+yyqzGLtFG8YN0gV7iCQuDlzCplK25SAur6KHiu g9pNx1cIMbSZgBBgW7WG+SeWCzVXB1h2M1SJbETuBrIYSmJ/VrG6yyXDLdqD8Fyl 35+RsmZKOIQXefQ1R4MI0ky4SGfi10YwRTu+IIbMNA6AKc9Fl5RoSL92BNpe/sD+ MZRfE1rvbwjNa4T9xYOz6xlFZtjBPT5Z4YLQnCnkwMTwWL0JA0B8LISx0PUGd/lK 6WVRt+oCqP/euGAa8L5glKHIyqWckKdTNiVS1BJGlDuGeoT/8VkvUHbx7b1lNS1+ kgDNLTfo/MsOREAYIPgbTh30YKWwOD+KUq/hzn5PeNyR+3y1M1QX6RxXi9TZNyzL zvvWzasvMLKnSMEH1SVfoBigTlkcFUOPAHJpHnnr1bBjrdMP+CrNKypVihBGnpjN eMZOVMLJmRVfM6unNBvAQKtQoXCt0nWj0PZz4SccNlZOz6adN0Uva4dd50pHanEb DR/gIeWZ =Oq3l -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
