update: libyaml #1490

dongsupark · 2024-07-01T14:16:33Z

Name: libyaml
CVEs: CVE-2024-35325, CVE-2024-35326
CVSSs: n/a, 9.8
Action Needed: TBD

Summary:

CVE-2024-35325: A vulnerability was found in libyaml up to 0.2.5. Affected by this issue is the function yaml_event_delete of the file /src/libyaml/src/api.c. The manipulation leads to a double-free.
- https://bugzilla.redhat.com/show_bug.cgi?id=2292350
CVE-2024-35326: libyaml v0.2.5 is vulnerable to Buffer Overflow. Affected by this issue is the function yaml_emitter_emit of the file /src/libyaml/src/emitter.c. The manipulation leads to a double-free.
- https://bugzilla.redhat.com/show_bug.cgi?id=2292351

refmap.gentoo: TBD

dongsupark · 2024-08-09T10:10:19Z

CVE-2024-35326 has now critical severity.
However, upstream libyaml maintainer seems to think it is not a valid issue, including other similar ones.

dongsupark · 2024-08-29T10:08:28Z

Both CVEs were withdrawn, closing.

dongsupark added security security concerns advisory security advisory labels Jul 1, 2024

github-actions bot mentioned this issue Jul 22, 2024

Monthly contributions report 2024-06-22 - 2024-07-21 #1497

Closed

dongsupark added the cvss/CRITICAL >= 9 assessed CVSS label Aug 9, 2024

dongsupark added the advisory/upstream-blocked blocked by upstream projects label Aug 9, 2024

github-actions bot mentioned this issue Aug 22, 2024

Monthly contributions report 2024-07-22 - 2024-08-21 #1519

Closed

dongsupark closed this as completed Aug 29, 2024

github-actions bot mentioned this issue Sep 22, 2024

Monthly contributions report 2024-08-22 - 2024-09-21 #1547

Closed

Provide feedback