Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump snakeyaml to address CVE-2022-38751 #1346

Merged
merged 8 commits into from
Mar 8, 2023
Merged

bump snakeyaml to address CVE-2022-38751 #1346

merged 8 commits into from
Mar 8, 2023
+38 −34

Conversation

yogsototh
Copy link
Contributor

@yogsototh yogsototh commented Mar 8, 2023
edited by frenchy64
Loading

Bump snakeyaml version to fix a security issue.

See this conversation to confirm we are not vulnerable to CVE-2022-1471.

The only place that CTIA might parse yaml is during trapperkeeper's bootstrap. But we don't use yaml configs and we'd always trust our own configuration anyway.

§ Squashed Commits

@yogsototh yogsototh self-assigned this Mar 8, 2023
msprunck
msprunck approved these changes Mar 8, 2023
View reviewed changes
Copy link
Contributor

@msprunck msprunck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@frenchy64
Copy link
Contributor

frenchy64 commented Mar 8, 2023
edited
Loading

I think we need 2.0, right? https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314

frenchy64 added 2 commits March 8, 2023 12:50
@frenchy64
try 2.0

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
16880e8
@frenchy64
bump clj-yaml
75150a8
@frenchy64
Copy link
Contributor

As long as we don't use snakeyaml directly, apparently clj-yaml is immune to this CVE by default. I think we just need to check if we use clj-yaml safely. TK also uses it. clj-commons/clj-yaml#83

@frenchy64
Copy link
Contributor

Actually, there are 2 vulns:

We might not need the latter due to clj-yaml, but I think 1.33 is a good version to fix the former.

@frenchy64 frenchy64 changed the title bump snakeyaml due to security issue bump snakeyaml to address CVE-2022-38751 Mar 8, 2023
@frenchy64 frenchy64 merged commit 2736f7d into master Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msprunck msprunck

@ereteog ereteog

@gbuisson gbuisson

@frenchy64 frenchy64

@turbodog99 turbodog99

@rplevy rplevy

@agzam agzam

@wandersoncferreira wandersoncferreira

@DeLaGuardo DeLaGuardo

@obarbeau obarbeau

@marioaquino marioaquino

@safi safi

Assignees

@yogsototh yogsototh

Labels
No QA Required security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@yogsototh @frenchy64 @msprunck @ereteog @NeelSaini