-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Vulnerability CVE-2022-1471 for snakeyaml@1.33 #356
Comments
The fix will have to involve switching snakeyaml from 1.33 to 2.0. That version has just been released: |
@jeffmay The fixes here built and tested fine. Do you have any opinions on versioning? Since this is binary incompat we'll need to break the lock step with circe-core releases (which we've done in other areas already) but it causes a bit of whiplash with folk. |
Is there going to be a patch release containing this fix? |
Ok, I published v0.15.0-RC1 with these upgrades. Please give it a whirl and leave any feedback or upvote the following discussions to make sure these versions are released as stable semantic versions: |
Is there a plan to make a new release? I can't address the impact of the binary incompatibility that was mentioned, but generally speaking security patches should be prioritised in my opinion. |
Yea, apologies. I am probably not a good person to manage this repo as I do not use Circe or Scala anymore. I'm happy to give someone else permission to manage this. |
This is fixed in circe-yaml >= 0.15.0 |
CVE-2022-1471
Recommended fix is to use SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
The text was updated successfully, but these errors were encountered: