Bug 30899

Summary: snakeyaml new security issues CVE-2020-13936, CVE-2022-25857, CVE-2022-38749, CVE-2022-3875[0-2], CVE-2022-41854
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Java Stack Maintainers <java>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: snakeyaml-1.27-1.mga9.src.rpm CVE:
Status comment: Fixed upstream in 1.32

Description David Walser 2022-09-27 00:15:15 CEST 
SUSE has issued an advisory today (September 26):
https://lists.suse.com/pipermail/sle-security-updates/2022-September/012382.html

The issues are fixed upstream in 1.32 (1.33 was released today).

Mageia 8 is also affected.
Comment 1 David Walser 2022-09-27 00:17:56 CEST 
Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4KYA7O77MLOZCR6FG5WEY5TZRITBLP2Y/

Status comment: (none) => Fixed upstream in 1.32
Whiteboard: (none) => MGA8TOO

Comment 2 David Walser 2022-10-03 16:19:38 CEST 
Debian-LTS has issued an advisory for most of these issues today (October 3):
https://www.debian.org/lts/security/2022/dla-3132
Comment 3 David Walser 2022-12-21 17:13:40 CET 
Fedora has issued an advisory for this today (December 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J/

Summary: snakeyaml new security issues CVE-2020-13936, CVE-2022-25857, CVE-2022-38749, CVE-2022-3875[0-2] => snakeyaml new security issues CVE-2020-13936, CVE-2022-25857, CVE-2022-38749, CVE-2022-3875[0-2], CVE-2022-41854

Comment 4 David Walser 2023-03-13 19:11:05 CET 
Ubuntu has issued an advisory for some of these issues on March 10:
https://ubuntu.com/security/notices/USN-5944-1
Comment 5 David GEIGER 2023-03-14 06:49:25 CET 
Done for Cauldron, freeze_move requested!

CC: (none) => geiger.david68210

Comment 6 David Walser 2023-03-18 17:31:57 CET 
snakeyaml-1.32-1.mga9 moved.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 7 Nicolas Salguero 2024-01-12 10:21:42 CET 
Mageia 8 EOL

Resolution: (none) => OLD
CC: (none) => nicolas.salguero
Status: NEW => RESOLVED