On Mon, Jan 30, 2023 at 10:15:47PM +0100, Markus Koschany wrote:
> Hi,
>
> Am Montag, dem 30.01.2023 um 18:44 +0100 schrieb Moritz Muehlenhoff:
> >
> > Could we please add a README.Debian.security with something like the
> > following
> > to make this also visible to users?
> >
> >
> >
Hi,
Am Montag, dem 30.01.2023 um 18:44 +0100 schrieb Moritz Muehlenhoff:
>
> Could we please add a README.Debian.security with something like the
> following
> to make this also visible to users?
>
>
> Note that snakeyaml isn't designed to operate on YAML data coming from
> untrusted
>
Source: snakeyaml
Version: 1.33-1
Severity: important
Google's oss-fuzz found various cases where snakeyaml triggers an exception
on malformed YAML input. These end up blindly being picked by various
security web sites (since CVE IDs) were assigned.
This is causing lots of overhead/annoyance for
