Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6237

Re: CVE-2023-33460, ruby-yajl affected?

From Tobias Frost <tobi@debian.org>
Newsgroups linux.debian.security
Subject Re: CVE-2023-33460, ruby-yajl affected?
Date 2023-07-05 18:20 +0200
Message-ID <GOdot-3ap1-5@gated-at.bofh.it> (permalink)
References <GO2Mp-33D9-5@gated-at.bofh.it> <GO79n-36vc-7@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

On Wed, Jul 05, 2023 at 09:06:15AM +0000, Bastien Roucariès wrote:
> Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :
> > Hello,
> > 
> > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
> > is affected. There is no direct dependency on yajl, where the vulnerability
> > was detected.
> ruby-yajl include a old version of yajl 1.01.12
> 
> The vuln code was introduced by https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010

This matches my investation, however, a small correction: This commit is already part of version 2.0.0.

I've added note in data/CVE/list accordingly.

-- 
Cheers,
tobi

Back to linux.debian.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

CVE-2023-33460, ruby-yajl affected? Anton Gladky <gladk@debian.org> - 2023-07-05 07:00 +0200
  Re: CVE-2023-33460, ruby-yajl affected? Bastien Roucariès <bastien.roucaries@cyu.fr> - 2023-07-05 11:40 +0200
    Re: CVE-2023-33460, ruby-yajl affected? Tobias Frost <tobi@debian.org> - 2023-07-05 18:20 +0200
      Re: CVE-2023-33460, ruby-yajl affected? Anton Gladky <gladk@debian.org> - 2023-07-06 06:30 +0200

csiph-web