Re: CVE-2023-33460, ruby-yajl affected?

To: Tobias Frost <tobi@debian.org>
Cc: Bastien Roucariès <bastien.roucaries@cyu.fr>, debian-security@lists.debian.org, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: CVE-2023-33460, ruby-yajl affected?
From: Anton Gladky <gladk@debian.org>
Date: Thu, 6 Jul 2023 06:20:45 +0200
Message-id: <[🔎] CALF6qJmN1=w27iUWmFtmNdGsDpYaMknH4AB=GrdKozez15m9kA@mail.gmail.com>
In-reply-to: <[🔎] ZKWSxtlwhX5kpx+B@isildor.loewenhoehle.ip>
References: <[🔎] CALF6qJnB54MTcMXLFSj1vz1BA-J0mdUjEYGDjBiWrFk=ZLxVqg@mail.gmail.com> <[🔎] 3389473.b9s1R4cD0y@portable-bastien> <[🔎] ZKWSxtlwhX5kpx+B@isildor.loewenhoehle.ip>

Thanks all for the discussion.

@Tobias, thanks for marking the CVE in the list.

Best regards

Anton

Am Mi., 5. Juli 2023 um 17:56 Uhr schrieb Tobias Frost <tobi@debian.org>:

On Wed, Jul 05, 2023 at 09:06:15AM +0000, Bastien Roucaričs wrote:
> Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :
> > Hello,
> >
> > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
> > is affected. There is no direct dependency on yajl, where the vulnerability
> > was detected.
> ruby-yajl include a old version of yajl 1.01.12
>
> The vuln code was introduced by https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010

This matches my investation, however, a small correction: This commit is already part of version 2.0.0.

I've added note in data/CVE/list accordingly.

--
Cheers,
tobi

Reply to:

References:
- CVE-2023-33460, ruby-yajl affected?
  - From: Anton Gladky <gladk@debian.org>
- Re: CVE-2023-33460, ruby-yajl affected?
  - From: Bastien Roucariès <bastien.roucaries@cyu.fr>
- Re: CVE-2023-33460, ruby-yajl affected?
  - From: Tobias Frost <tobi@debian.org>

Prev by Date: Re: CVE-2023-33460, ruby-yajl affected?
Next by Date: Re: Securing Debian Manual too old?
Previous by thread: Re: CVE-2023-33460, ruby-yajl affected?
Next by thread: Re: Securing Debian Manual too old?
Index(es):
- Date
- Thread