Oh, bah! I had a section detailing those CVEs but obviously overwrote it at some point. Damn browser editors.
Yeah, those CVEs affect the current Ubuntu package, and are unfixed upstream. As far as I can tell they're only DoS risks - the first is an assert() hit on a particular yaml construct, second is stack exhaustion via unbounded recursion on specially crafted input. *Mir* doesn't use this library to parse untrusted input, so we don't much care about them, but other users might. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794692 Title: [MIR] yaml-cpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/yaml-cpp/+bug/1794692/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
