Your message dated Wed, 05 Jul 2023 06:47:07 +0000
with message-id <[email protected]>
and subject line Bug#1039984: fixed in yajl 2.1.0-3+deb12u1
has caused the Debian Bug report #1039984,
regarding yajl: CVE-2023-33460: Memory leak in yajl 2.1.0 with use of
yajl_tree_parse function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1039984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: yajl
Version: 2.1.0-2
Severity: important
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team <[email protected]>
The following CVE was published for yajl:
CVE-2023-33460[0]:
There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which
will cause out-of-memory in server and cause crash.
Upstream Issue [1] links to a potential patch [2]
I'm filing this bug as I'm going to fix the issue for ELTS (stretch/jessie)
and then possibly also will NMU for sid, bookworm and bullseye and buster.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
[0] https://security-tracker.debian.org/tracker/CVE-2023-33460
[1] https://github.com/lloyd/yajl/issues/250
[2]
https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
--
Cheers,
tobi
-- System Information:
Debian Release: 12.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'oldstable-security'), (500,
'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (100,
'bullseye-fasttrack'), (100, 'bullseye-backports-staging'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: yajl
Source-Version: 2.1.0-3+deb12u1
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
yajl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated yajl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 01 Jul 2023 14:55:44 +0200
Source: yajl
Architecture: source
Version: 2.1.0-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: John Stamp <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1039984 1040034
Changes:
yajl (2.1.0-3+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Import upstream patch for CVE-2023-33460. (Closes: #1039984)
* Fix d/control Homepage field (Closes: #1040034)
Checksums-Sha1:
bfeed4917662a49bf52cb0e6111a486921d3b17f 1980 yajl_2.1.0-3+deb12u1.dsc
29ce2b9695ae93e1b0b349a22cea8067f25a9025 83997 yajl_2.1.0.orig.tar.gz
734824bb6382164252501ba8d664e756927799f3 6076
yajl_2.1.0-3+deb12u1.debian.tar.xz
ee00cf46f5426c37cae62913166e9b1a5b4a0881 8113
yajl_2.1.0-3+deb12u1_amd64.buildinfo
Checksums-Sha256:
453c5d953333261eed3684a23c39f9944c69c33c61c9a6265ac3891a707475bb 1980
yajl_2.1.0-3+deb12u1.dsc
3fb73364a5a30efe615046d07e6db9d09fd2b41c763c5f7d3bfb121cd5c5ac5a 83997
yajl_2.1.0.orig.tar.gz
8fa96db127bc43ba562d9a2a3007d0f664c39a7d5fa2d98378951c5d7a61217a 6076
yajl_2.1.0-3+deb12u1.debian.tar.xz
0d3b0b5eea0ceeba26b5ff415e0bf7a1ffe17b3f2596716af4f8254e5cf78fc1 8113
yajl_2.1.0-3+deb12u1_amd64.buildinfo
Files:
e82f0452fa9b4899c5accd843c8a4a16 1980 libs optional yajl_2.1.0-3+deb12u1.dsc
6887e0ed7479d2549761a4d284d3ecb0 83997 libs optional yajl_2.1.0.orig.tar.gz
d93fea9e29e411ed6c68999fb95d8ca2 6076 libs optional
yajl_2.1.0-3+deb12u1.debian.tar.xz
aa15fd87bb2725b426f2fa40ec6b00b5 8113 libs optional
yajl_2.1.0-3+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmShXTcACgkQkWT6HRe9
XTZpfRAAnc6UQbLgXmvSp2ijzdnwYEQfWv9nyrEd7v6HMOR7aAfV9aP5p/GGX0g6
wx1ujKpysoJYLet1kHpMIUsQi2IaKla5b/3HgRK73g9/79ESMTb1XqWaxkwRzKFd
CKiSE9Gd6eOjWw8J+rr/Zu7s/fEHcV509JC71FstHFEaV6pNr/qrxfRePKbK6THc
WC1Z8b9aGsUiURiRdYi4WwSNbnc+g8QP7FB4KThStK37Kg526PSTED9OlJTlRS4A
hfobhFfvj6S5M/Vj7h9gZNLIL845MEJLH5KQJSJSuSZpErcz9osLvsb9+l2oYWhA
g2kVrWTCkqJVOB/fTVnCEuAqp4D6r+r84h2Bi7oWzAKchjeWst+iFFBueOjYKKMn
RHGWMfyyhayaattLu2Vc4El7hkxdXZuEpZtjqoTyZFoHwexPTGqhW7mXMnNLeuDu
cqcq+80IQb9ht7ysfBJf+d18QzbwrcttRJeT2NQs2S4oOx/4PoTIQAHzlQFAmBU9
zifmfVIQWkNGq33cflgpwW+qQDVZWSvMSiqckkea51+i/c3YoOF6Lg94tDrCMpK2
+sGAAD/OX13/U/8HlbGXRhz3BpsjLVrpvO23IAQx7P3s/meWVGlVffYg8U5kBkaw
VjZc6G+4v/ruzd5Fw2ZfiucSK3L6I5XG54HDvUhGlCROmvFVRbI=
=7z/s
-----END PGP SIGNATURE-----
--- End Message ---
