Security Vulnerability CVE-2022-1471 for snakeyaml@1.33 #356
Comments
|
The fix will have to involve switching snakeyaml from 1.33 to 2.0. That version has just been released: |
|
@jeffmay The fixes here built and tested fine. Do you have any opinions on versioning? Since this is binary incompat we'll need to break the lock step with circe-core releases (which we've done in other areas already) but it causes a bit of whiplash with folk. |
|
Is there going to be a patch release containing this fix? |
|
Ok, I published v0.15.0-RC1 with these upgrades. Please give it a whirl and leave any feedback or upvote the following discussions to make sure these versions are released as stable semantic versions: |
|
Is there a plan to make a new release? I can't address the impact of the binary incompatibility that was mentioned, but generally speaking security patches should be prioritised in my opinion. |
|
Yea, apologies. I am probably not a good person to manage this repo as I do not use Circe or Scala anymore. I'm happy to give someone else permission to manage this. |
|
This is fixed in circe-yaml >= 0.15.0 |
CVE-2022-1471
Recommended fix is to use SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
The text was updated successfully, but these errors were encountered: