Summary: | <dev-java/snakeyaml-1.28: billion laughs DoS (CVE-2017-18640) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | fordfrog, ionen, java |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion | ||
See Also: | https://github.com/gentoo/gentoo/pull/20176 | ||
Whiteboard: | B3 [glsa+] | ||
Package list: |
dev-java/snakeyaml-1.28-r1 amd64 x86
dev-java/joda-time-2.10.10-r1 amd64
|
Runtime testing required: | --- |
Bug Depends on: | 780663 | ||
Bug Blocks: |
Description
John Helmert III
2021-03-17 03:08:37 UTC
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe6324607afad6e952b57747c3297a6b5d69ffbd commit fe6324607afad6e952b57747c3297a6b5d69ffbd Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2021-03-28 21:13:13 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-06 10:44:28 +0000 dev-java/snakeyaml: bump to 1.28 (CVE-2017-18640) Closes: https://bugs.gentoo.org/776796 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/20176 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/snakeyaml/Manifest | 1 + dev-java/snakeyaml/snakeyaml-1.28.ebuild | 86 ++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) Please stabilize when ready. Sanity check failed:
> dev-java/snakeyaml-1.28
> depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> >=dev-java/commons-lang-3.4:3.4
> >=dev-java/joda-time-2.10.10:0
> depend amd64 stable profile default/linux/amd64/17.1 (26 total)
> >=dev-java/commons-lang-3.4:3.4
> >=dev-java/joda-time-2.10.10:0
Unable to check for sanity:
> no match for package: dev-java/commons-lang-3.4
x86 stable ppc64 stable Sanity check failed:
> dev-java/snakeyaml-1.28
> depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> >=dev-java/commons-lang-3.4:3.4
> >=dev-java/joda-time-2.10.10:0
> depend amd64 stable profile default/linux/amd64/17.1 (15 total)
> >=dev-java/commons-lang-3.4:3.4
> >=dev-java/joda-time-2.10.10:0
All sanity-check issues have been resolved sorry, i accidentally removed a slot of commons-lang that i thought is not used anymore. Unable to check for sanity:
> no match for package: dev-java/commons-lang-3.6
(In reply to Miroslav Šulc from comment #9) > sorry, i accidentally removed a slot of commons-lang that i thought is not > used anymore. I assume this was "fixed" in commit c16e45c8. Then please in the future make sure that no arches are missing in CC. amd64 done x86 done all arches done The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94b45e9356226bb3b5b7d8c3c6d71f69d8390fb0 commit 94b45e9356226bb3b5b7d8c3c6d71f69d8390fb0 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-05-16 18:01:39 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-05-16 18:01:39 +0000 dev-java/snakeyaml: removed obsolete and vulnerable 1.16 Bug: https://bugs.gentoo.org/776796 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/snakeyaml/Manifest | 1 - dev-java/snakeyaml/snakeyaml-1.16.ebuild | 50 -------------------------------- 2 files changed, 51 deletions(-) the tree is clean now, you can proceed Thanks! GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=980b750f6ebc25adc36501cfe47c72ab672b5e9b commit 980b750f6ebc25adc36501cfe47c72ab672b5e9b Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-21 19:44:41 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-21 19:51:37 +0000 [ GLSA 202305-28 ] snakeyaml: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/776796 Bug: https://bugs.gentoo.org/868621 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-28.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) GLSA released, all done! |