On Tue, Sep 27, 2022 at 05:41:21PM +0200, Salvatore Bonaccorso wrote: > > snakeyaml 1.31 has been uploaded to unstable. I will start work on > > 1.33, which addresses other non-DSA CVEs [1].
Hello Salvatore, After reviewing the remaining CVEs more closely, I believe I missed documenting CVE-2022-38749 as resolved by the 1.31 upload. CVE-2022-38749 https://nvd.nist.gov/vuln/detail/CVE-2022-38749 states that the issue exists in versions up to (excluding) 1.31, implying that it was addressed in 1.30. The state of CVE-2022-38752 is more nuanced. CVE-2022-38752 https://nvd.nist.gov/vuln/detail/CVE-2022-38752 states that the issue exists in versions up to (excluding) 1.32, implying that it was addressed in 1.31. However, upstream [1] claims this as a false-positive and has addressed it by adding a unit-test [2] in 1.32. Therefore, I don't believe version 1.31 is actually impacted. However, in order to keep the security scanners happy and because upstream has done a lot of code reformatting between 1.31 and 1.33 (which would make porting future patches more difficult), I still intend update 1.33 after completing the usual vetting (r-deps build, japi-compliance-checker check, etc.) Thank you, tony [1] https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081#comment-64048637 [2] https://bitbucket.org/snakeyaml/snakeyaml/commits/481078991274c1c8a0a550634164a230b4c23334
signature.asc
Description: PGP signature
