Snakeyaml provide fix for CVE-2022-1471 by downporting the fix to 1.33
428 views
Skip to first unread message
Sourabh SP
Mar 6, 2023, 2:35:14 AM3/6/23
to SnakeYAML
Hello,
I like others were waiting for an official fix for CVE-2022-1471
I like others were waiting for an official fix for CVE-2022-1471
We use Snakeyaml with Spring Boot 2.7.x versions which is not compatible with Snakeyaml fixed version 2.0
Hence, requesting you to downport the fix to 1.3x
Please let me know.
Please let me know.
Thanks
Sourabh
Andrey Somov
Mar 6, 2023, 2:57:37 AM3/6/23
to snakeya...@googlegroups.com
Hi Sourabh,
if you use Spring - the issue CVE-2022-1471
does not affect you. It is a false positive.
What is the tool that creates this report ? Have you created a bug report in their issue tracker ?
Cheers,
Andrey
--
You received this message because you are subscribed to the Google Groups "SnakeYAML" group.
To unsubscribe from this group and stop receiving emails from it, send an email to snakeyaml-cor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/snakeyaml-core/0c431bec-9e28-4303-a446-0cf9a0f49859n%40googlegroups.com.
Sourabh SP
Mar 6, 2023, 8:13:24 AM3/6/23
to SnakeYAML
@Andrey,
Could you confirm if Snakeyaml 2.0 is compatible with Spring Boot 2.7.x and 3.0.x?
Thanks
Sourabh
Could you confirm if Snakeyaml 2.0 is compatible with Spring Boot 2.7.x and 3.0.x?
Thanks
Sourabh
Andrey Somov
Mar 6, 2023, 8:18:29 AM3/6/23
to snakeya...@googlegroups.com
Dear Sourabh,
for your information - it is not the library is compatible with an application, it is the other way around.
In your case it is not important - since you use Spring, you do not have to do anything. You are not affected by CVE-2022-1471
Cheers,
Andrey
To view this discussion on the web visit https://groups.google.com/d/msgid/snakeyaml-core/309576ef-8794-41c6-817b-db6b29da1fabn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages