[Bug 1785376] New: CVE-2017-18640 snakeyaml: the alias feature entity expansion during a load operation - java-sig-commits - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

December

[Bug 1785376] New: CVE-2017-18640 snakeyaml: the alias feature entity expansion during a load operation

[Bug 1997532] New:...

[Bug 1578582] CVE-2018-1258...

bugzilla＠redhat.com

Thursday, 19 December 2019 Thu, 19 Dec '19

1:24 p.m.

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Bug ID: 1785376 Summary: CVE-2017-18640 snakeyaml: the alias feature entity expansion during a load operation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: decathorpe(a)gmail.com, hhorak(a)redhat.com, jaromir.capik(a)email.cz, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jorton(a)redhat.com, mizdebsk(a)redhat.com, mo(a)morsi.org, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Other The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564. Reference: https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for... -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Show replies by date

bugzilla＠redhat.com

Thursday, 19 December Thu, 19 Dec

1:24 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Guilherme de Almeida Suckevicz <gsuckevi(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1785377 Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1785377 [Bug 1785377] CVE-2017-18640 snakeyaml: the alias feature entity expansion during a load operation [fedora-all] -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

1:24 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 --- Comment #1 from Guilherme de Almeida Suckevicz <gsuckevi(a)redhat.com> --- Created snakeyaml tracking bugs for this issue: Affects: fedora-all [bug 1785377] -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

1:26 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Guilherme de Almeida Suckevicz <gsuckevi(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1785379 Summary|CVE-2017-18640 snakeyaml: |CVE-2017-18640 snakeyaml: |the alias feature entity |the alias feature allows |expansion during a load |entity expansion during a |operation |load operation -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

4:43 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Alex Scheel <ascheel(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ascheel(a)redhat.com Flags| |needinfo?(gsuckevi(a)redhat.c | |om) --- Comment #2 from Alex Scheel <ascheel(a)redhat.com> --- What needs to be done here? Is there a specific patch that needs to be applied? Upstream's position [0] seems to be that you need to be careful about what inputs you give to snakeyaml. From a snakeyaml packager POV, there's not much we can do if snakeyaml upstream won't fix it and we don't control how packages use snakeyaml downstream or upstream. Would rebasing F30 to 1.25 (like F31 and Rawhide are currently only) suffice, or is there something else required from us? Does 1.25 solve the issue? It isn't immediately clear. Otherwise I'm inclined to close the Fedora tracker with WONTFIX and point to the upstream wiki. [0]: https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Monday, 23 December Mon, 23 Dec

7:59 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Guilherme de Almeida Suckevicz <gsuckevi(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(gsuckevi(a)redhat.c | |om) | --- Comment #3 from Guilherme de Almeida Suckevicz <gsuckevi(a)redhat.com> --- Since upstream will not fix this issue, I assume that's OK to close this as WONTFIX. You can wait the analysis from our side for more information. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Friday, 14 February Fri, 14 Feb

10:22 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 --- Comment #4 from Marco Benatto <mbenatto(a)redhat.com> --- According the upstream bug entry, they are not considering this a security vulnerability and are not inclined to fix this issue. Given this scenario this bugwill be closed as WONTFIX. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

10:25 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 --- Comment #5 from Marco Benatto <mbenatto(a)redhat.com> --- Statement: The snakeyaml's upstream is not considering this a security vulnerability. Their justification is explained on the link contained on 'External References' field. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

10:25 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 --- Comment #6 from Marco Benatto <mbenatto(a)redhat.com> --- External References: https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

10:27 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Marco Benatto <mbenatto(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2020-02-14 16:27:51 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Wednesday, 19 February Wed, 19 Feb

6:25 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Bug 1785376 depends on bug 1785377, which changed state. Bug 1785377 Summary: CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1785377 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Tuesday, 7 April Tue, 7 Apr

8:48 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Riccardo Schirone <rschiron(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1821739 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Wednesday, 15 April Wed, 15 Apr

4:49 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Jonathan Dowland <jdowland(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jdowland(a)redhat.com --- Comment #8 from Jonathan Dowland <jdowland(a)redhat.com> --- upstream have now merged a patch to fix this. snakeyaml v1.26 contains the fix https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for... https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37f... -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

7:49 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Bug 1785376 depends on bug 1785377, which changed state. Bug 1785377 Summary: CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1785377 What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |ASSIGNED Resolution|WONTFIX |--- -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Tuesday, 21 April Tue, 21 Apr

7:22 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Riccardo Schirone <rschiron(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1826310 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Friday, 24 April Fri, 24 Apr

9:25 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Bug 1785376 depends on bug 1785377, which changed state. Bug 1785377 Summary: CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1785377 What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Thursday, 28 May Thu, 28 May

8:38 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Tomas Hoger <thoger(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1841044 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Monday, 8 June Mon, 8 Jun

2:16 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Chess Hazlett <chazlett(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |snakeyaml 1.26 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Wednesday, 17 June Wed, 17 Jun

11:34 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 --- Comment #10 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat build of Quarkus 1.3.4 Via RHSA-2020:2603 https://access.redhat.com/errata/RHSA-2020:2603 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

11:34 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2603 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Wednesday, 2 September Wed, 2 Sep

8:03 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Piyush Bhoot <pbhoot(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pbhoot(a)redhat.com -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Wednesday, 9 September Wed, 9 Sep

2:14 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Marco Benatto <mbenatto(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877534 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

2:23 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Marco Benatto <mbenatto(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877545 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Tuesday, 27 October Tue, 27 Oct

11:25 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Tony Garcia <antgarci(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |antgarci(a)redhat.com -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Wednesday, 4 November Wed, 4 Nov

10:41 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 --- Comment #18 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4807 https://access.redhat.com/errata/RHSA-2020:4807 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

10:42 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:4807 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Wednesday, 2 June Wed, 2 Jun

2:39 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Pedro Sampaio <psampaio(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1967297 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Thursday, 3 June Thu, 3 Jun

1:17 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Jonathan Christison <jochrist(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aileenc(a)redhat.com, | |drieden(a)redhat.com, | |ggaughan(a)redhat.com, | |gmalinko(a)redhat.com, | |janstey(a)redhat.com, | |jross(a)redhat.com, | |rgodfrey(a)redhat.com, | |swoodman(a)redhat.com -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Wednesday, 9 June Wed, 9 Jun

4:45 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 --- Comment #21 from Jonathan Christison <jochrist(a)redhat.com> --- Marking Red Hat AMQ Streams and Red Hat AMQ Online as not affected, both AMQ-ON and AMQ-ST were incorrectly marked as being affected on Thursday 3rd of June 2021 after investigations into the secondary artifact io.prometheus.jmx:jmx_prometheus_javaagent:jar:* which shades/bundles snakeyaml. The version of snakeyaml in use by the io.prometheus.jmx:jmx_prometheus_javaagent:jar:0.14.0.redhat-00002 is org.yaml:snakeyaml:jar:1.26.0.redhat-00002 which is not affected by this vulnerability, this was fixed in AMQ Streams version 1.6.0 onwards. AMQ Online was not affected by this vulnerability through io.prometheus.jmx:jmx_prometheus_javaagent:jar:*. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Wednesday, 11 August Wed, 11 Aug

1:22 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 --- Comment #22 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

1:22 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Thursday, 19 August Thu, 19 Aug

2:18 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 --- Comment #23 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat AMQ Streams 1.8.0 Via RHSA-2021:3225 https://access.redhat.com/errata/RHSA-2021:3225 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

2:18 a.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3225 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

bugzilla＠redhat.com

Thursday, 23 September Thu, 23 Sep

12:50 p.m.

New subject: [Bug 1785376] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Joshua Mulliken <jmullike(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aboyko(a)redhat.com, | |pdrozd(a)redhat.com, | |sthorger(a)redhat.com -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1785376

Reply

944

days inactive

1588

days old

java-sig-commits@lists.fedoraproject.org

Manage subscription

33 comments

1 participants

tags (0)

participants (1)

bugzilla＠redhat.com