USN-5944-1

Source

https://ubuntu.com/security/notices/USN-5944-1

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/USN-5944-1.json

Related

Published

2023-03-10T10:18:12.369133Z

Modified

2023-03-10T10:18:12.369133Z

Summary

snakeyaml vulnerabilities

Details

It was discovered that SnakeYAML did not limit the maximal nested depth for collections when parsing YAML data. If a user or automated system were tricked into opening a specially crafted YAML file, an attacker could possibly use this issue to cause applications using SnakeYAML to crash, resulting in a denial of service. (CVE-2022-25857, CVE-2022-38749, CVE-2022-38750)

It was discovered that SnakeYAML did not limit the maximal data matched with regular expressions when parsing YAML data. If a user or automated system were tricked into opening a specially crafted YAML file, an attacker could possibly use this issue to cause applications using SnakeYAML to crash, resulting in a denial of service. (CVE-2022-38751)

References

Affected packages

Ubuntu:Pro:14.04:LTS / snakeyaml

Package

Name: snakeyaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.12-2ubuntu0.14.04.1~esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "libyaml-snake-java-doc": "1.12-2ubuntu0.14.04.1~esm1",
            "libyaml-snake-java": "1.12-2ubuntu0.14.04.1~esm1"
        }
    ]
}

Ubuntu:22.04:LTS / snakeyaml

Package

Name: snakeyaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.29-1ubuntu0.22.04.1

Ecosystem specific

{
    "availability": "No subscription needed",
    "binaries": [
        {
            "libyaml-snake-java-doc": "1.29-1ubuntu0.22.04.1",
            "libyaml-snake-java": "1.29-1ubuntu0.22.04.1"
        }
    ]
}

Ubuntu:Pro:16.04:LTS / snakeyaml

Package

Name: snakeyaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.12-2ubuntu0.16.04.1~esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "libyaml-snake-java-doc": "1.12-2ubuntu0.16.04.1~esm1",
            "libyaml-snake-java": "1.12-2ubuntu0.16.04.1~esm1"
        }
    ]
}

Ubuntu:18.04:LTS / snakeyaml

Package

Name: snakeyaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.23-1+deb10u1build0.18.04.1

Ecosystem specific

{
    "availability": "No subscription needed",
    "binaries": [
        {
            "libyaml-snake-java-doc": "1.23-1+deb10u1build0.18.04.1",
            "libyaml-snake-java": "1.23-1+deb10u1build0.18.04.1"
        }
    ]
}

Ubuntu:20.04:LTS / snakeyaml

Package

Name: snakeyaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.25+ds-2ubuntu0.1

Ecosystem specific

{
    "availability": "No subscription needed",
    "binaries": [
        {
            "libyaml-snake-java-doc": "1.25+ds-2ubuntu0.1",
            "libyaml-snake-java": "1.25+ds-2ubuntu0.1"
        }
    ]
}