Hi Tony, On Sat, Feb 29, 2020 at 09:51:32AM -0800, tony mancill wrote: > On Thu, Feb 27, 2020 at 03:16:00PM +0100, Salvatore Bonaccorso wrote: > > Source: snakeyaml > > Version: 1.25+ds-2 > > Severity: important > > Tags: security upstream > > Forwarded: https://bitbucket.org/asomov/snakeyaml/issues/377 > > Control: found -1 1.23-1 > > Control: found -1 1.17-1 > > > > Hi, > > > > The following vulnerability was published for snakeyaml. > > > > CVE-2017-18640[0]: > > | The Alias feature in SnakeYAML 1.18 allows entity expansion during a > > | load operation, a related issue to CVE-2003-1564. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2017-18640 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640 > > [1] https://bitbucket.org/asomov/snakeyaml/issues/377 > > [2] > > https://bitbucket.org/asomov/snakeyaml/commits/b680ce64971d943083012c04690c0ffa9fea6da4 > > The upstream issue has been marked as resolved and the links to the > proposed resolution returns a 404. I agree that we should have an issue > open in the tracker, but I don't see how this is actionable at this > time.
*sigh*. When I filled the bug I'm pretty sure the referenced commit *was* not resulting in a 404 :( Please have a look at https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c That is again the respective commit. Looks upstream did convert the reposiitory. Regards, Salvatore
