ALAS2023-2023-375

Amazon Linux 2023 Security Advisory: ALAS-2023-375
Advisory Release Date: 2023-09-27 21:07 Pacific
Advisory Updated Date: 2023-10-03 20:50 Pacific

Severity: Medium

References: CVE-2022-38752 CVE-2022-41854
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow. (CVE-2022-38752)

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack. (CVE-2022-41854)

Affected Packages:

snakeyaml

Issue Correction:
Run dnf update snakeyaml --releasever 2023.2.20231002 to update your system.

New Packages:

noarch:
    snakeyaml-1.27-6.amzn2023.0.3.noarch
    snakeyaml-javadoc-1.27-6.amzn2023.0.3.noarch

src:
    snakeyaml-1.27-6.amzn2023.0.3.src

Additional References

Red Hat: CVE-2022-38752, CVE-2022-41854

Mitre: CVE-2022-38752, CVE-2022-41854

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS2023-2023-375

Additional References