On Mon, Sep 05, 2022 at 09:48:33PM +0200, Salvatore Bonaccorso wrote: > Source: snakeyaml > Version: 1.29-1 > Severity: important > Tags: security upstream > Forwarded: https://bitbucket.org/snakeyaml/snakeyaml/issues/525 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for snakeyaml. > > CVE-2022-25857[0]: > | The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable > | to Denial of Service (DoS) due missing to nested depth limitation for > | collections.
snakeyaml 1.31 has been uploaded to unstable. I will start work on 1.33, which addresses other non-DSA CVEs [1]. Cheers, tony [1] https://security-tracker.debian.org/tracker/source-package/snakeyaml
signature.asc
Description: PGP signature
