Actions
Bug #22983
closed
Snake-yaml dependency in zio-json is subjected to CVE
Status:
Released
Priority:
N/A
Assignee:
Category:
Architecture - Code maintenance
Target version:
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No
Description
zio-json-yaml comes with snakeyaml 1.33, which is subjected to cve-2022-1471 (https://www.veracode.com/blog/research/resolving-cve-2022-1471-snakeyaml-20-release-0)
We can use version 2.0 to correct the problem, what we tried to tell maven to do, but failed to.
Updated by François ARMAND 10 months ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND 10 months ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder/pull/4862
Updated by Anonymous 10 months ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|60b686616d42245c7b35866136ee31e2cc028976.
Updated by Vincent MEMBRÉ 10 months ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 8.0.0~alpha1 which was released today.
Actions