[jira] [Comment Edited] (HADOOP-18443) Upgrade snakeyaml to 1.32

Mon, 19 Sep 2022 16:44:50 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606797#comment-17606797
 ] 

PJ Fanning edited comment on HADOOP-18443 at 9/19/22 11:43 PM:
---------------------------------------------------------------

[~groot] it looks like snakeyaml now limits the size of the files it will parse 
(changes in recent snakeyaml releases, including v1.32). 3Mb appears to be the 
default limit.
 * 
[https://bitbucket.org/snakeyaml/snakeyaml/issues/547/restrict-the-size-of-incoming-data]
 * Seems like there is a 
[LoaderOptions|https://www.javadoc.io/doc/org.yaml/snakeyaml/latest/org/yaml/snakeyaml/LoaderOptions.html]
 (setCodePointLimit) that can be used to configure the YAML parser. Hadoop 
might need to allow users to override the limit.


was (Author: pj.fanning):
[~groot] it looks like snakeyaml now limits the size of the files it will parse 
(changes in recent snakeyaml releases, including v1.32). 3Mb appears to be the 
default limit.
 * 
[https://bitbucket.org/snakeyaml/snakeyaml/issues/547/restrict-the-size-of-incoming-data]
 * Seems like there is a 
[LoaderOptions]([https://www.javadoc.io/doc/org.yaml/snakeyaml/latest/org/yaml/snakeyaml/LoaderOptions.html)]
 (setCodePointLimit) that can be used to configure the YAML parser. Hadoop 
might need to allow users to override the limit.

> Upgrade snakeyaml to 1.32
> -------------------------
>
>                 Key: HADOOP-18443
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18443
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.3.3, 3.3.4
>            Reporter: Ashutosh Gupta
>            Assignee: Ashutosh Gupta
>            Priority: Major
>              Labels: pull-request-available
>
> Upgrade snakeyaml to 1.32 to mitigate CVE-2022-25857 and 
> [CVE-2022-38752|https://github.com/advisories/GHSA-9w3m-gqgf-c4p9]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to