Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade SnakeYAML #25010

Closed
ljacomet opened this issue May 5, 2023 · 0 comments
Closed

Upgrade SnakeYAML #25010

ljacomet opened this issue May 5, 2023 · 0 comments
Assignees
@ljacomet
Labels
a:chore Minor issue without significant impact
Milestone
8.2 RC1

Comments

@ljacomet
Copy link
Member

ljacomet commented May 5, 2023

We need to upgrade SnakeYAML to no longer have Gradle exposed to CVE-2022-1471

Note that the risk of abuse in Gradle is only possible through:

  • Loading a crafted Swift dependency file module.swiftdeps

If you do not use Swift, you are not impacted.

However given the CVE score, Gradle will be updated to a safe version of SnakeYAML.
@ljacomet ljacomet added the a:chore Minor issue without significant impact label May 5, 2023
@ljacomet ljacomet added this to the 8.2 RC1 milestone May 5, 2023
@ljacomet ljacomet self-assigned this May 5, 2023
@ljacomet ljacomet mentioned this issue May 5, 2023
Merged
bot-gradle added a commit that referenced this issue May 7, 2023
@bot-gradle @ljacomet
Merge pull request #25011 Update snakeyaml to 2.0
8f5bda1 
* Resolves CVE-2022-1471

Fixes #25010

Co-authored-by: Louis Jacomet <louis@gradle.com>
This was referenced May 12, 2023
Closed
Closed
@github-actions github-actions bot mentioned this issue Jul 1, 2023
Closed
@sebhoss sebhoss mentioned this issue Jul 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ljacomet ljacomet

Labels
a:chore Minor issue without significant impact
Projects
None yet
Milestone
8.2 RC1
Development

No branches or pull requests
1 participant
@ljacomet