Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

embedded yajl is vulnerable to CVE-2017-16516 and CVE-2022-24795 #431

Closed
tillea opened this issue Oct 24, 2023 · 3 comments
Closed

embedded yajl is vulnerable to CVE-2017-16516 and CVE-2022-24795 #431

tillea opened this issue Oct 24, 2023 · 3 comments

Comments

@tillea
Copy link

tillea commented Oct 24, 2023

Hi,
the Debian package of jsonlite received a bug report about two CVEs your embedded code copy of yajl is affected. It would be great if you either keep an eye on these CVEs or enable building agains system provided yajl library as requested in issue #430.
Kind regards, Andreas.
@jeroen jeroen closed this as completed in 10567de Oct 26, 2023
@jeroen
Copy link
Owner

jeroen commented Oct 26, 2023

Thanks for the heads up. I applied the patches for CVE-2022-24795, CVE-2022-24795, CVE-2023-33460 although I am not quite sure that our bindings are actually affected by any of these issues.

@tillea
Copy link
Author

tillea commented Oct 27, 2023

It would be great if you could tag a new release with these changes and push it to CRAN.

@jeroen
Copy link
Owner

jeroen commented Dec 4, 2023

Released these changes in v1.8.8 on cran.

@tylfin tylfin mentioned this issue Dec 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeroen @tillea