CVE-2017-11692 is now fixed upstream by:
https://github.com/jbeder/yaml-
cpp/commit/c9460110e072df84b7dee3eb651f2ec5df75fb18
(My PR above got declined, but inspired a better fix.)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https
There's quite a lot of duplication in the CVEs where dubious input
causes stack overflow. There's one underlying cause which already had a
fix under review (but no tests).
I've create PRs to upstream as follows:
https://github.com/jbeder/yaml-cpp/pull/806 - fixes CVE-2017-11692
https://github.co
** Changed in: yaml-cpp (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794692
Title:
[MIR] [mir] yaml-cpp
To manage notifications about this bug go to:
h
Hey all,
Sorry for the late reply, I confirm that we (~mir-team) will help
maintain this package between Debian and Ubuntu. I've subscribed us to
https://launchpad.net/ubuntu/+source/yaml-cpp bugs to that effect.
--
You received this bug notification because you are a member of Ubuntu
Bugs, whic
As the Debian maintainer for yaml-cpp, I would be more than happy to
work with the Mir team to keep yaml-cpp in sync with Ubuntu.
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794692
Title:
I reviewed yaml-cpp version 0.6.2-4fakesync1 as packaged in
So, security team ACK on promoting yaml-cpp to main is granted provided
sarnold@hunt:~/ubuntu/security/audits/yaml-cpp/disco/audits$ cat bug.txt
I reviewed yaml-cpp version 0.6.2-4fakesync1 as packaged in
disco-proposed. This shouldn't be
Huh, I see people have started a bunch more whacking on yaml-cpp since
the start of this MIR. Great!
The Mir team certainly have the skills required to submit PRs for these,
and failing anything else we can distro-patch them in. If fixing these
bugs is the price of security-team signoff, I think w
xnox, raof, many thanks for your replies earlier.
I've read through yaml-cpp and can see the benefits: it sticks to C++
things and is remarkably readable. There's a lot of tests.
But there's six CVEs that have been completely ignored. While at least
some of the CVEs wouldn't affect Mir's use (no
Yeah, when surveying the choices for yaml libraries we looked at the C++
libraries (and I forgot that Mir was still in main, so didn't consider
the library's component, just it's availability and maintenance in
Ubuntu/Debian).
It would probably not be an unreasonable amount of work to write a smal
@seth
json-c / json-glib / libfastjson are C, rather than CPP.
libjsoncpp may be suitable.
But
json, by default is unreadable garbage. Whilst yaml is actually
readable. I do understand that it is syntactic sugar / nice to have. But
that also makes all the difference. And indeed yaml is fairly st
We considered json, yaml, and toml as the configuration format, as well
as just an ad-hoc configuration for the single feature which (currently)
requires configuration.
We choose yaml mainly because it seems to be the consensus configuration
format for Canonical projects.
--
You received this bu
Upstream seems remarkably unresponsive.
I've had a fairly low impression of YAML the specification after reading
https://arp242.net/weblog/yaml_probably_not_so_great_after_all.html#its-
pretty-complex
What brought us to this point? Were alternatives considered and
discarded for good reasons?
The
looks ok. reassigning to the security team for a review.
please don't forgot the no-change uploads for the transition.
** Changed in: yaml-cpp (Ubuntu)
Importance: Critical => High
** Changed in: yaml-cpp (Ubuntu)
Status: Incomplete => New
** Changed in: yaml-cpp (Ubuntu)
Assigne
yaml-cpp 0.6.2-1ubuntu1 uploaded, with a symbols file (and proposed on
salsa, too https://salsa.debian.org/debian/yaml-cpp/merge_requests/2 ).
I'll upload rebuilds of the rdepends, too.
This should be ready to review.
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Urgh. Some of the rdepends of yaml-cpp are not built with c++11 support,
and so FTBFS against the new yaml-cpp.
I'll see if I can fix that tomorrow.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/17946
that's now blocking some transitions. Please address this issue
** Changed in: yaml-cpp (Ubuntu)
Importance: Undecided => Critical
** Changed in: yaml-cpp (Ubuntu)
Assignee: (unassigned) => Chris Halse Rogers (raof)
--
You received this bug notification because you are a member of Ubunt
Please forgive my humor. 😁
** Summary changed:
- [MIR] yaml-cpp
+ [MIR] [mir] yaml-cpp
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794692
Title:
[MIR] [mir] yaml-cpp
To manage notifications ab
17 matches
Mail list logo
