CVE-2022-28948: gopkg.in/yaml.v2 #78
Comments
|
I find the CVE rather misleading, as considers all versions >=(!!!)3 to be safe, so the deserialization problem can't be in v3 but rather in v2? But then, not the first slightly messed-up CVE. EDIT: see go-yaml/yaml#666 (comment) ... Github did mess this up also. It's a v3 issue, not a v2 issue. I've seen another behavioral change in yaml.v3, where map keys at least in some cases are now |
|
Well, you can't beat the issue number of go-yaml/yaml#666 for the problem underlying the CVE. |
|
Github CVE was updated and fixed, see also github/advisory-database#350 |
|
That does indeed fix it :D |
|
my read is that this is a v3 issue, not a v2 issue, so this repo is not currently impacted /close |
🐛 Bug Report
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
We should bump the usages on this repo
The problem is that some assumptions of v2 do not hold on v3, like MapSlices and UnmarshallStrict, how to proceed?
The text was updated successfully, but these errors were encountered: