From ${URL} : Description Some vulnerabilities have been reported in Jansson, which can be exploited by malicious people to cause a DoS (Denial of Service) of the application using the library. The vulnerabilities are caused due to some errors when handling hash tables and can be exploited to exhaust CPU resources by sending a specially crafted JSON document containing a large number of parameters with names map to the same hash value. The vulnerabilities are reported in version 2.4. Other versions may also be affected. Solution: Fixed in the source code repository. Provided and/or discovered by: Florian Weimer, Red Hat Product Security Team Original Advisory: Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1035538 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Jansson 2.6 was out the other day; much because of this bug (well, upstream). Changelog here: https://github.com/akheron/jansson/commit/e83ded066a610f8de7caaa3942769321ededa84f As proxy, I'd recommend a verbump. Rename from 2.5 works fine for me. I'd also back a quick stabilisation round if my co-maintainer is up for it.
fwiw, verbump bug here: https://bugs.gentoo.org/show_bug.cgi?id=502488
CVE-2013-6401 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6401): Jansson, possibly 2.4 and earlier, does not restrict the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted JSON document.
we should just stabilize 2.7 now for everyone
amd64 stable
x86 stable
Stable for HPPA.
Stable for PPC64.
Stable on alpha.
arm stable
sparc stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No
Vote: NO.
It has been 30 days since cleanup was requested. Maintainer(s), please drop the vulnerable version(s).
