CVE-2021-41119[1,2] is caused by a vulnerability in aeson-1.4.7.1. This is documented further here[3]. It means that "The aeson library is not safe to use to consume untrusted input, like the JSON values that a web server might parse. We have put together a DoS exploit to show that this is an immediate threat. We have spent the better part of a year talking to maintainers but did not manage to fix the vulnerability." This has been fixed in version 2.0.1.0 upstream. [1] https://security-tracker.debian.org/tracker/CVE-2021-41119 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41119 [3] https://cs-syd.eu/posts/2021-09-11-json-vulnerability Reproducible: Always
Thanks! Ideally a CVE should also be issued for aeson itself. haskell@: please bump
(In reply to John Helmert III from comment #1) > Thanks! Ideally a CVE should also be issued for aeson itself. > > haskell@: please bump We're still working on this in ::haskell let alone ::gentoo. There are a lot of reverse dependencies that still depend on <dev-haskell/aeson-1.6. But we are working on it.
Fixed in https://github.com/gentoo/gentoo/commit/ca76007e9ca8e3b23af55b769ed204f322acb99f
Thanks! Please stable when ready
dev-haskell/* is all ~arch, cleanup done, closing. thanks!
Looks like this eventually got