Your message dated Thu, 26 Mar 2020 05:19:53 +0000
with message-id <e1jhkvp-000feh...@fasolo.debian.org>
and subject line Bug#952683: fixed in snakeyaml 1.25+ds-3
has caused the Debian Bug report #952683,
regarding snakeyaml: CVE-2017-18640
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
952683: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952683
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: snakeyaml
Version: 1.25+ds-2
Severity: important
Tags: security upstream
Forwarded: https://bitbucket.org/asomov/snakeyaml/issues/377
Control: found -1 1.23-1
Control: found -1 1.17-1
Hi,
The following vulnerability was published for snakeyaml.
CVE-2017-18640[0]:
| The Alias feature in SnakeYAML 1.18 allows entity expansion during a
| load operation, a related issue to CVE-2003-1564.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-18640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
[1] https://bitbucket.org/asomov/snakeyaml/issues/377
[2]
https://bitbucket.org/asomov/snakeyaml/commits/b680ce64971d943083012c04690c0ffa9fea6da4
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: snakeyaml
Source-Version: 1.25+ds-3
Done: tony mancill <tmanc...@debian.org>
We believe that the bug you reported is fixed in the latest version of
snakeyaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 952...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmanc...@debian.org> (supplier of updated snakeyaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 25 Mar 2020 21:45:58 -0700
Source: snakeyaml
Architecture: source
Version: 1.25+ds-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: tony mancill <tmanc...@debian.org>
Closes: 952683
Changes:
snakeyaml (1.25+ds-3) unstable; urgency=medium
.
* Team upload.
* Add patch for CVE-2017-18640 (Closes: #952683)
Checksums-Sha1:
b8793437844b4b9af530428bf7d493f576c7681e 2398 snakeyaml_1.25+ds-3.dsc
3c0f87f046a53a50ba5bf0edaffebc4916dc172c 14168
snakeyaml_1.25+ds-3.debian.tar.xz
4f0a79a8d63ec5c3b59db355a2a218a68356f8e2 13706
snakeyaml_1.25+ds-3_amd64.buildinfo
Checksums-Sha256:
a52c8069717fb5d1500c30866b74ac40093cb077d3e690689e1429648b3048fa 2398
snakeyaml_1.25+ds-3.dsc
b54a28633f00a548e30d4f6fe7240c2b1f46aaa829277accc235b16502e59af5 14168
snakeyaml_1.25+ds-3.debian.tar.xz
b00d9de2a0b42edb4402ae7c859d79efd618f1244e12de2d5fa4e73591860f79 13706
snakeyaml_1.25+ds-3_amd64.buildinfo
Files:
a6f0554c4f29bc8f74a5802d794e94c4 2398 java optional snakeyaml_1.25+ds-3.dsc
e87542ff5675e0bcc9bc6c2570e36aa0 14168 java optional
snakeyaml_1.25+ds-3.debian.tar.xz
a692288e402243f34634fdcb5db19746 13706 java optional
snakeyaml_1.25+ds-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAl58NrgUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZ6gxAAvWcw21zNvtdqT/ldOwdIR61D2Q99
jzIy6+0h8pHseemsU/SGhJKMmWN/apsApd5Dy7OyxyuzaQ08gmPdMPxMFBkRIMRd
lCpa3wG88JMhBPeCvnlBUej3OVnyotXpD04uXl4O1G0CQYObDPUoWfhP9vgjmiPP
qJwgyY4eMNApB2yOEngILF2nxe7SwhFlhP1A+SVT/cYaaltM5Nbc+lEsFcAbtilU
1MRBH0b3A3oC56HSrfjU9pT0IlpJNYpa+xPwr57ekyR8KDYquXQLjM8GZSinbFVl
/7zS4IbuagnZXTJdqHNrWXtD/Nqqmt9R8+OcM8Z0UdAWEdBt+d62MQEBqVSB0s81
3Osn1Kg/J/dglI31hMvSb6YJlJIjeSc6deT30fneVChw/1BdN0Tf/6uEp+9Y2N5Y
RAARtl5lOrpKBgIoVQSCU/tOr9Yo07llFe/W9ARxEHQMV63RnNCFPgWx3y/jU2gV
sJUxAZxOn+MwkEZ7a+Oflwc1usO+SiXmAsgxPkpeNQl1byFRq/QPTNCcDFGWGpLD
i5GNnFRBX1RsytNkGumXyBlt3nCS4BTAK+4UC90bP9r3++I4+UP9GR8lguaLXX9N
YFY56Zo8BvfrvkLMlP8/Ktnld7lsofpdfN1t+WD+yi9YbFcLMK6Jny/n4soVoeo0
VM5kyvwnbR8eAo4=
=EtCE
-----END PGP SIGNATURE-----
--- End Message ---
