SUSE-SU-2022:3560-1

Source
https://www.suse.com/support/update/announcement/2022/suse-su-20223560-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2022:3560-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2022:3560-1
Related
Published
2022-10-11T07:43:48Z
Modified
2022-10-11T07:43:48Z
Summary
Security update for snakeyaml
Details

This update for snakeyaml fixes the following issues:

snakeyaml was upgraded to version 1.31:

  • CVE-2022-25857: Fixed DoS due missing to nested depth limitation for collections (bsc#1202932).
  • CVE-2022-38749: Fixed DoS due to stack overflow in parser (bsc#1202932).
  • CVE-2022-38751: Fixed DoS due to parsing of untrusted yaml files (bsc#1203153).
  • CVE-2022-38752: Fixed DoS due to stack overflow in parser (bsc#1203154).
  • CVE-2022-38750: Fixed DoS due to parsing of untrusted yaml files (bsc#1203158).
  • CVE-2020-13936: Fixed arbitrary code execution when attacker is able to modify templates (bsc#1183360).
References

Affected packages

SUSE:Manager Server Module 4.1 / snakeyaml

Package

Name
snakeyaml
Purl
purl:rpm/suse/snakeyaml&distro=SUSE%20Manager%20Server%20Module%204.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.31-150200.12.6.1

Ecosystem specific

{
    "binaries": [
        {
            "snakeyaml": "1.31-150200.12.6.1"
        }
    ]
}