subject:"Bug#952683\: snakeyaml\: CVE\-2017\-18640"

Bug#952683: snakeyaml: CVE-2017-18640

2020-03-25 Thread Salvatore Bonaccorso

Hello Tony,

On Wed, Mar 25, 2020 at 10:04:47PM -0700, tony mancill wrote:
> Hello Salvatore,
> 
> On Sat, Feb 29, 2020 at 09:17:50PM +0100, Salvatore Bonaccorso wrote:
> > > The upstream issue has been marked as resolved and the links to the
> > > proposed resolution returns a 404.  I agree that we should have an issue
> > > open in the tracker, but I don't see how this is actionable at this
> > > time.
> > 
> > *sigh*. When I filled the bug I'm pretty sure the referenced commit
> > *was* not resulting in a 404 :(
> > 
> > Please have a look at
> > 
> > https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c
> > 
> > That is again the respective commit. Looks upstream did convert the
> > reposiitory.
> 
> Thank you for tracking this down and please excuse my delay in
> responding. I have just uploaded an updated source package to the
> archive.

Welcome and don't worry :)

Thanks for the upload!

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#952683: snakeyaml: CVE-2017-18640

2020-03-25 Thread tony mancill

Hello Salvatore,

On Sat, Feb 29, 2020 at 09:17:50PM +0100, Salvatore Bonaccorso wrote:
> > The upstream issue has been marked as resolved and the links to the
> > proposed resolution returns a 404.  I agree that we should have an issue
> > open in the tracker, but I don't see how this is actionable at this
> > time.
> 
> *sigh*. When I filled the bug I'm pretty sure the referenced commit
> *was* not resulting in a 404 :(
> 
> Please have a look at
> 
> https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c
> 
> That is again the respective commit. Looks upstream did convert the
> reposiitory.

Thank you for tracking this down and please excuse my delay in
responding. I have just uploaded an updated source package to the
archive.

Cheers,
tony

signature.asc
Description: PGP signature
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#952683: snakeyaml: CVE-2017-18640

2020-02-29 Thread Salvatore Bonaccorso

Hi Tony,

On Sat, Feb 29, 2020 at 09:51:32AM -0800, tony mancill wrote:
> On Thu, Feb 27, 2020 at 03:16:00PM +0100, Salvatore Bonaccorso wrote:
> > Source: snakeyaml
> > Version: 1.25+ds-2
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://bitbucket.org/asomov/snakeyaml/issues/377
> > Control: found -1 1.23-1
> > Control: found -1 1.17-1
> > 
> > Hi,
> > 
> > The following vulnerability was published for snakeyaml.
> > 
> > CVE-2017-18640[0]:
> > | The Alias feature in SnakeYAML 1.18 allows entity expansion during a
> > | load operation, a related issue to CVE-2003-1564.
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2017-18640
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
> > [1] https://bitbucket.org/asomov/snakeyaml/issues/377
> > [2] 
> > https://bitbucket.org/asomov/snakeyaml/commits/b680ce64971d943083012c04690c0ffa9fea6da4
> 
> The upstream issue has been marked as resolved and the links to the
> proposed resolution returns a 404.  I agree that we should have an issue
> open in the tracker, but I don't see how this is actionable at this
> time.

*sigh*. When I filled the bug I'm pretty sure the referenced commit
*was* not resulting in a 404 :(

Please have a look at

https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c

That is again the respective commit. Looks upstream did convert the
reposiitory.

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#952683: snakeyaml: CVE-2017-18640

2020-02-29 Thread tony mancill

On Thu, Feb 27, 2020 at 03:16:00PM +0100, Salvatore Bonaccorso wrote:
> Source: snakeyaml
> Version: 1.25+ds-2
> Severity: important
> Tags: security upstream
> Forwarded: https://bitbucket.org/asomov/snakeyaml/issues/377
> Control: found -1 1.23-1
> Control: found -1 1.17-1
> 
> Hi,
> 
> The following vulnerability was published for snakeyaml.
> 
> CVE-2017-18640[0]:
> | The Alias feature in SnakeYAML 1.18 allows entity expansion during a
> | load operation, a related issue to CVE-2003-1564.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-18640
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
> [1] https://bitbucket.org/asomov/snakeyaml/issues/377
> [2] 
> https://bitbucket.org/asomov/snakeyaml/commits/b680ce64971d943083012c04690c0ffa9fea6da4

The upstream issue has been marked as resolved and the links to the
proposed resolution returns a 404.  I agree that we should have an issue
open in the tracker, but I don't see how this is actionable at this
time.

Cheers,
tony

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#952683: snakeyaml: CVE-2017-18640

2020-02-27 Thread Salvatore Bonaccorso

Source: snakeyaml
Version: 1.25+ds-2
Severity: important
Tags: security upstream
Forwarded: https://bitbucket.org/asomov/snakeyaml/issues/377
Control: found -1 1.23-1
Control: found -1 1.17-1

Hi,

The following vulnerability was published for snakeyaml.

CVE-2017-18640[0]:
| The Alias feature in SnakeYAML 1.18 allows entity expansion during a
| load operation, a related issue to CVE-2003-1564.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-18640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
[1] https://bitbucket.org/asomov/snakeyaml/issues/377
[2] 
https://bitbucket.org/asomov/snakeyaml/commits/b680ce64971d943083012c04690c0ffa9fea6da4

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#952683: snakeyaml: CVE-2017-18640

Bug#952683: snakeyaml: CVE-2017-18640

Bug#952683: snakeyaml: CVE-2017-18640

Bug#952683: snakeyaml: CVE-2017-18640

Bug#952683: snakeyaml: CVE-2017-18640

5 matches

Site Navigation

Mail list logo

Footer information