Skip to content

Bump go-yaml version to cover fixed ddos heuristic #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 17, 2019
Merged

Bump go-yaml version to cover fixed ddos heuristic #161

merged 1 commit into from
Oct 17, 2019

Conversation

@petrkotas
Copy link
Contributor

@petrkotas petrkotas commented Oct 17, 2019

go-yaml preceding 2.2.4 had vulnerability to ddos attack via billion
laughs bomb.
Such attack lead to program to be unresponsive.
Issue has been described in
https://raesene.github.io/blog/2019/10/15/From-stackoverflow-to-CVE/

Signed-off-by: Petr Kotas petr.kotas@gmail.com

@codecov
Copy link

codecov bot commented Oct 17, 2019
edited
Loading

Codecov Report

Merging #161 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #161   +/-   ##
=======================================
  Coverage   80.13%   80.13%           
=======================================
  Files          40       40           
  Lines        2351     2351           
=======================================
  Hits         1884     1884           
  Misses        361      361           
  Partials      106      106

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 61a733d...3702930. Read the comment docs.

@petrkotas petrkotas changed the title This PR bumbs go-yaml to v2.2.4, which has the ddos vulnerability fixed. Bump go-yaml version to cover fixed ddos heuristic Oct 17, 2019
@petrkotas
Bump go-yaml version to cover fixed ddos heuristic
3702930 
This PR bumbs go-yaml to v2.2.4, which has the ddos vulnerability fixed.

Issue:
go-yaml preceding 2.2.4 had vulnerability to ddos attack via billion
laughs bomb.
Such attack lead to program to be unresponsive.
Issue has been described in
https://raesene.github.io/blog/2019/10/15/From-stackoverflow-to-CVE/

Signed-off-by: Petr Kotas <petr.kotas@gmail.com>
@petrkotas petrkotas mentioned this pull request Oct 17, 2019
Merged
@casualjim casualjim merged commit 553c9d1 into go-openapi:master Oct 17, 2019
kzys pushed a commit to kzys/runtime that referenced this pull request Dec 17, 2022
@mxpv
Merge pull request go-openapi#161 from mxpv/linter
93219bb 
Updater linters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@casualjim casualjim casualjim approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@petrkotas @casualjim