Your message dated Tue, 27 Sep 2022 15:11:54 +0000
with message-id <[email protected]>
and subject line Bug#1019218: fixed in snakeyaml 1.31-1
has caused the Debian Bug report #1019218,
regarding snakeyaml: CVE-2022-25857
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1019218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019218
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: snakeyaml
Version: 1.29-1
Severity: important
Tags: security upstream
Forwarded: https://bitbucket.org/snakeyaml/snakeyaml/issues/525
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for snakeyaml.
CVE-2022-25857[0]:
| The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable
| to Denial of Service (DoS) due missing to nested depth limitation for
| collections.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-25857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
[1] https://bitbucket.org/snakeyaml/snakeyaml/issues/525
[2]
https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: snakeyaml
Source-Version: 1.31-1
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
snakeyaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated snakeyaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 27 Sep 2022 07:23:10 -0700
Source: snakeyaml
Architecture: source
Version: 1.31-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 1019218
Changes:
snakeyaml (1.31-1) unstable; urgency=medium
.
* Team upload.
* Update debian/watch for bitbucket.org/snakeyaml/snakeyaml
* Update Homepage and Source URLs
* New upstream version 1.31 (Closes: #1019218)
- CVE-2022-25857 (https://bitbucket.org/snakeyaml/snakeyaml/issues/525)
- CVE-2022-38750 (https://bitbucket.org/snakeyaml/snakeyaml/issues/526)
- CVE-2022-38751 (https://bitbucket.org/snakeyaml/snakeyaml/issues/530)
* Freshen years in debian/copyright
* Bump Standards-Version to 4.6.1
* Add build-dep on liblombok-java
* Use velocity in lieu of newer velocity-engine-core
* Update debian/upstream/metadata for new upstream
Checksums-Sha1:
2d3b31d684114015b55b110ab635391377e1143e 2442 snakeyaml_1.31-1.dsc
bfe342e762c753c494a25d9a71e171963b97636a 291452 snakeyaml_1.31.orig.tar.xz
26a35208a367b7d880990cd248117159f566964b 9784 snakeyaml_1.31-1.debian.tar.xz
6df17525e4849baeb2889cd44ae8cc6ad5738890 14144 snakeyaml_1.31-1_amd64.buildinfo
Checksums-Sha256:
e6e006cd9ada956b59a8e3e04c44b1f8c9672ebb1291297979a3f27913bfd25c 2442
snakeyaml_1.31-1.dsc
a43d10c05c2d2b878b02c464333a7d105ebb6f5dad16b50b7ddf0ac696ace744 291452
snakeyaml_1.31.orig.tar.xz
0ffd961b8ccbd6c0e7fd20b91c6df38b0ed8f305a8b55cd02283b4d5a9362ae3 9784
snakeyaml_1.31-1.debian.tar.xz
f28cbdefbd6862bb2d4fc35b08776964429046dc86f46e2507ef828d9b388f90 14144
snakeyaml_1.31-1_amd64.buildinfo
Files:
a112218977966710fdcf1528dc83f81e 2442 java optional snakeyaml_1.31-1.dsc
c95999e65197a75e31dc160bbebc02aa 291452 java optional
snakeyaml_1.31.orig.tar.xz
0f024688748786a7c30531bfb4788cfa 9784 java optional
snakeyaml_1.31-1.debian.tar.xz
64c13cc5dc08e5f2b4b0276a6cf854b1 14144 java optional
snakeyaml_1.31-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmMzC+EUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpYJnA/+Kx3LOKfZTT2lgCGJoCQyNWPYJHu1
xkjn7HlriSXgIYuDpzIqNOHro7Ox5iVA5381IPxwaxsOO/cy8PIhsCDW/yIS97yp
N6A/TO8TzZSGR9xtOyd7Zk/yF7QZzk8PyVmQyWmUMaLOxCWZKpGRObi+6XzKrZsY
RcwuZYsAGdo7dVx3n02Zd3Art04t3oN0Kv7O/xhmenG4IK4WQvyxb+c1U6ev2tTg
aOaJs5ddap8RL3hZdY9j58ln5Vi//HZNhGUK0k29+Zn+9clMTX89HsN9SsyRuOkN
WCcQIFSFVXxS/7H6y6/KgFd2++h5k/UFMQWoe3O71y5TcjsGkXSqUmztcrSlbcTF
LMAnHdq+Xehg75c2qyyk7WOwvzfbWRlUoZgINanq5TeH1C4SShRqNR6D9/opIXLg
bR6tkK9BEtcHflN8clBffxMigRvdUaI3zCiyIGLixymlFrJstFTdW+NQ5HBE9Zzt
c4CgvwWO6WJVoNO2++1VutxlXeIja/5EGAT35F0BfHOTtLuORaZsYKY2K8M0SbpW
2wDkk35lgTFIR8Rkgt7YY+PYFfEUSjaOagDwQE/rjwA5dzdnZHIZqkmw9kxw4WV+
Dei0ua+u+O8HNOzolwdhcuMaJVMW9IVGme073HjIK5xo090+iGTqKLPGpy4IiPTg
qPJ/F3ogovdhzG4=
=29zr
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
