Your message dated Tue, 11 Jul 2023 22:02:09 +0000
with message-id <[email protected]>
and subject line Bug#1039984: fixed in yajl 2.1.0-3+deb12u2
has caused the Debian Bug report #1039984,
regarding yajl: CVE-2023-33460: Memory leak in yajl 2.1.0 with use of
yajl_tree_parse function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1039984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: yajl
Version: 2.1.0-2
Severity: important
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team <[email protected]>
The following CVE was published for yajl:
CVE-2023-33460[0]:
There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which
will cause out-of-memory in server and cause crash.
Upstream Issue [1] links to a potential patch [2]
I'm filing this bug as I'm going to fix the issue for ELTS (stretch/jessie)
and then possibly also will NMU for sid, bookworm and bullseye and buster.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
[0] https://security-tracker.debian.org/tracker/CVE-2023-33460
[1] https://github.com/lloyd/yajl/issues/250
[2]
https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
--
Cheers,
tobi
-- System Information:
Debian Release: 12.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'oldstable-security'), (500,
'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (100,
'bullseye-fasttrack'), (100, 'bullseye-backports-staging'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: yajl
Source-Version: 2.1.0-3+deb12u2
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
yajl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated yajl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 10 Jul 2023 18:06:21 +0200
Source: yajl
Architecture: source
Version: 2.1.0-3+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: John Stamp <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1039984 1040036
Changes:
yajl (2.1.0-3+deb12u2) bookworm; urgency=medium
.
[Tobias Frost]
* Non-maintainer upload.
* Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5
.
[John Stamp]
* Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036)
* The patch for CVE-2023-33460 turned out to be incomplete. Fix that.
(Closes: #1039984)
Checksums-Sha1:
726513c594dce2eaa22fd498acca19607ce50313 1980 yajl_2.1.0-3+deb12u2.dsc
787d03daca1b3e7c8ffe0e0f4effd57798ed0768 6968
yajl_2.1.0-3+deb12u2.debian.tar.xz
ff42cd080424d72adfe431a61231da34fc605c0d 8113
yajl_2.1.0-3+deb12u2_amd64.buildinfo
Checksums-Sha256:
38420d432584960203b37e108bcf39a5b6f0f2c96620af51e358ad2ce2e8746b 1980
yajl_2.1.0-3+deb12u2.dsc
31ebb5b6e0b76908d9631ce9c94ba1d7a34bbba05ea9ed42ee72422e141cbe48 6968
yajl_2.1.0-3+deb12u2.debian.tar.xz
cfc083f2d27a46b0b6c4845d6ae78e566bd8350afba321ffd5a48b9ca930b549 8113
yajl_2.1.0-3+deb12u2_amd64.buildinfo
Files:
cb6e1a7dbac4040aad65449b5f7aa2dc 1980 libs optional yajl_2.1.0-3+deb12u2.dsc
9ae58d18d4f93a3ba6b0562bde73ccac 6968 libs optional
yajl_2.1.0-3+deb12u2.debian.tar.xz
cb62c063ad3858fd4397241583df8635 8113 libs optional
yajl_2.1.0-3+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmStlQEACgkQkWT6HRe9
XTb2tBAAm552mSdP707PFcjYUDQ1niTeudTUgsnF1uO2DOrPQGhPWS6xQAj27aGB
Y9GLoynysC+3Wr264XIwltlcLUZdh/EEVh+q96dTJEV8tbsPI3Au2bHGjkx2xZdp
pk/ZZ9Yqi5/NQRVqZlU6V9IyQRCRhbkNphEjp4y/FbcODM6u4hFe556HLsHb/s/w
CncI9lIqriJRo/aWBLhn8cKi6svqnKqJT6zNBxmfr8QFgZD0F6DL4umN+LVsW2Lt
9khzfMC4wHMS14WekKqyP25jMXzFCCNk+oKD/NC3DpkMv4TuSLnwBMyb9Og8ThRU
yW55DBcj++gQJ4ZG3YfKApgAAXN5Fo9vQUhkCl1gCPwjS0My2TXMiew7WEaaCceT
n2wo0gIbVE84fC6rT/cJBgA5FJuTn9SrV/oawIr+VSb15azm3+fqCCDgJjj6wXb0
OqlmeqOkwYy7bjDPyKf8cOrWqb27nDXBEJv2vrJdheXgkfsjLMkfHTSfQlwPAu2B
gfT7U+FlJudgRGFIxJ0Ylvstg0bnfjFBPQQjCd6txn5LKqhdmVLRjlnu/bJXchIv
/inknq1yz1rxFP3RAQnXRR++Lbp7W4nI8fR/9yLf3KsJVA3dVk4KUItiaLtJuN+U
Zf9eFBazneS3N4zL81bjvNVCpCIB34QfDlrZp4i9S9F/adutrS8=
=QmaW
-----END PGP SIGNATURE-----
--- End Message ---
