Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update snakeyaml to version 1.26 or higher CVE-2017-18640 #6320

Closed
SzymonKowalczyk opened this issue Jul 13, 2020 · 3 comments · Fixed by #6332
Closed

Update snakeyaml to version 1.26 or higher CVE-2017-18640 #6320

SzymonKowalczyk opened this issue Jul 13, 2020 · 3 comments · Fixed by #6332

Comments

@SzymonKowalczyk
Copy link

SzymonKowalczyk commented Jul 13, 2020

When using latest JRuby 9.2.11.1 our Vulnerability scan reported

CVE-2017-18640

for bundled

META-INF/jruby.home/lib/ruby/stdlib/org/yaml/snakeyaml/1.23/.cache/snakeyaml-1.23.jar

Remediation
Upgrade org.yaml:snakeyaml to version 1.26 or higher.

@headius headius added this to the 9.2.13.0 milestone Jul 15, 2020
@headius
Copy link
Member

headius commented Jul 15, 2020

This will have to be done in https://github.com/ruby/psych, but I've marked this for 9.1.13.0 so we make sure to get it done in the next release.

The upgrade of psych should be pretty easy, maybe you could try submitting a PR?

@SzymonKowalczyk
Copy link
Author

SzymonKowalczyk commented Jul 16, 2020

I have created a PR: ruby/psych#457

@headius
Copy link
Member

headius commented Jul 16, 2020

@SzymonKowalczyk Thank you! The updated psych will be released and merged into JRuby soon.

headius added a commit to headius/jruby that referenced this issue Jul 18, 2020
This pulls in SnakeYAML 1.26 and fixes jruby#6320.
@headius headius linked a pull request Jul 18, 2020 that will close this issue
@headius headius closed this as completed Jul 18, 2020
enebo pushed a commit that referenced this issue Aug 31, 2020
This pulls in SnakeYAML 1.26 and fixes #6320.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants