Source: yajl Version: 2.1.0-2 Severity: important Tags: security upstream patch X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
The following CVE was published for yajl: CVE-2023-33460[0]: There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. Upstream Issue [1] links to a potential patch [2] I'm filing this bug as I'm going to fix the issue for ELTS (stretch/jessie) and then possibly also will NMU for sid, bookworm and bullseye and buster. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. [0] https://security-tracker.debian.org/tracker/CVE-2023-33460 [1] https://github.com/lloyd/yajl/issues/250 [2] https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698 -- Cheers, tobi -- System Information: Debian Release: 12.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'oldstable-security'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (100, 'bullseye-fasttrack'), (100, 'bullseye-backports-staging'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-9-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
signature.asc
Description: PGP signature