You are here
Home > Preporuke > Ranjivost programske biblioteke libyaml

Ranjivost programske biblioteke libyaml

  • Detalji os-a: FED
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2014-16073
2014-12-02 00:40:39
——————————————————————————–

Name : libyaml
Product : Fedora 21
Version : 0.1.6
Release : 6.fc21
URL : http://pyyaml.org/
Summary : YAML 1.1 parser and emitter written in C
Description :
YAML is a data serialization format designed for human readability and
interaction with scripting languages. LibYAML is a YAML parser and
emitter written in C.

——————————————————————————–
Update Information:

Security fix for CVE-2014-9130
——————————————————————————–
ChangeLog:

* Mon Dec 1 2014 John Eckersberg <eck@redhat.com> – 0.1.6-6
– Add patch for CVE-2014-9130 (RHBZ#1169371)
——————————————————————————–
References:

[ 1 ] Bug #1169369 – CVE-2014-9130 libyaml: assert failure when processing wrapped strings
https://bugzilla.redhat.com/show_bug.cgi?id=1169369
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update libyaml’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-16130
2014-12-03 00:03:43
——————————————————————————–

Name : libyaml
Product : Fedora 19
Version : 0.1.6
Release : 2.fc19
URL : http://pyyaml.org/
Summary : YAML 1.1 parser and emitter written in C
Description :
YAML is a data serialization format designed for human readability and
interaction with scripting languages. LibYAML is a YAML parser and
emitter written in C.

——————————————————————————–
Update Information:

Security fix for CVE-2014-9130
——————————————————————————–
ChangeLog:

* Mon Dec 1 2014 John Eckersberg <eck@redhat.com> – 0.1.6-2
– Add patch for CVE-2014-9130 (RHBZ#1169371)
* Wed Mar 26 2014 John Eckersberg <jeckersb@redhat.com> – 0.1.6-1
– New upstream release 0.1.6 (bz1081492)
– Fixes CVE-2014-2525 (bz1078083)
* Tue Feb 4 2014 John Eckersberg <jeckersb@redhat.com> – 0.1.5-1
– New upstream release 0.1.5 (bz1061087)
– Removed patches for CVE-2013-6393; they are included in 0.1.5
upstream
* Wed Jan 29 2014 John Eckersberg <jeckersb@redhat.com> – 0.1.4-6
– Add patches for CVE-2013-6393 (bz1033990)
* Sat Aug 3 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 0.1.4-5
– Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
——————————————————————————–
References:

[ 1 ] Bug #1169369 – CVE-2014-9130 libyaml: assert failure when processing wrapped strings
https://bugzilla.redhat.com/show_bug.cgi?id=1169369
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update libyaml’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-16132
2014-12-03 00:03:48
——————————————————————————–

Name : libyaml
Product : Fedora 20
Version : 0.1.6
Release : 2.fc20
URL : http://pyyaml.org/
Summary : YAML 1.1 parser and emitter written in C
Description :
YAML is a data serialization format designed for human readability and
interaction with scripting languages. LibYAML is a YAML parser and
emitter written in C.

——————————————————————————–
Update Information:

Security fix for CVE-2014-9130
——————————————————————————–
ChangeLog:

* Mon Dec 1 2014 John Eckersberg <eck@redhat.com> – 0.1.6-2
– Add patch for CVE-2014-9130 (RHBZ#1169371)
* Wed Mar 26 2014 John Eckersberg <jeckersb@redhat.com> – 0.1.6-1
– New upstream release 0.1.6 (bz1081492)
– Fixes CVE-2014-2525 (bz1078083)
* Tue Feb 4 2014 John Eckersberg <jeckersb@redhat.com> – 0.1.5-1
– New upstream release 0.1.5 (bz1061087)
– Removed patches for CVE-2013-6393; they are included in 0.1.5
upstream
* Wed Jan 29 2014 John Eckersberg <jeckersb@redhat.com> – 0.1.4-6
– Add patches for CVE-2013-6393 (bz1033990)
——————————————————————————–
References:

[ 1 ] Bug #1169369 – CVE-2014-9130 libyaml: assert failure when processing wrapped strings
https://bugzilla.redhat.com/show_bug.cgi?id=1169369
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update libyaml’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-16210
2014-12-04 05:19:46
——————————————————————————–

Name : perl-YAML-LibYAML
Product : Fedora 19
Version : 0.54
Release : 1.fc19
URL : http://search.cpan.org/dist/YAML-LibYAML/
Summary : Perl YAML Serialization using XS and libyaml
Description :
Kirill Siminov’s “libyaml” is arguably the best YAML implementation. The C
library is written precisely to the YAML 1.1 specification. It was originally
bound to Python and was later bound to Ruby.

——————————————————————————–
Update Information:

An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash.
——————————————————————————–
ChangeLog:

* Sun Nov 30 2014 Paul Howarth <paul@city-fan.org> – 0.54-1
– Update to 0.54
– Fix for an edge case in scanner that results in an assert() failing
(https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure)
(CVE-2014-9130)
– Drop upstreamed patches for CVE-2013-6393 and CVE-2014-2525
* Tue Nov 18 2014 Jitka Plesnikova <jplesnik@redhat.com> – 0.52-3
– Update BRs (bz#1165198)
* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> – 0.52-2
– Perl 5.20 rebuild
* Sun Aug 24 2014 Paul Howarth <paul@city-fan.org> – 0.52-1
– Update to 0.52
– Fix e1 test failure on 5.21.4
* Mon Aug 18 2014 Paul Howarth <paul@city-fan.org> – 0.51-1
– Update to 0.51 (various minor tidy-ups, no functional changes)
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 0.47-2
– Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Aug 9 2014 Paul Howarth <paul@city-fan.org> – 0.47-1
– Update to 0.47:
– Fix swim errors
– Include upstream license file
* Wed Aug 6 2014 Jitka Plesnikova <jplesnik@redhat.com> – 0.46-1
– 0.46 bump
* Tue Aug 5 2014 Jitka Plesnikova <jplesnik@redhat.com> – 0.45-1
– 0.45 bump
* Mon Jul 14 2014 Jitka Plesnikova <jplesnik@redhat.com> – 0.44-1
– 0.44 bump
* Sat Jun 7 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 0.41-5
– Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Mar 27 2014 Paul Howarth <paul@city-fan.org> – 0.41-4
– Fix LibYAML input sanitization errors (CVE-2014-2525)
– Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
* Sun Aug 4 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 0.41-3
– Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> – 0.41-2
– Perl 5.18 rebuild
——————————————————————————–
References:

[ 1 ] Bug #1169369 – CVE-2014-9130 libyaml: assert failure when processing wrapped strings
https://bugzilla.redhat.com/show_bug.cgi?id=1169369
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update perl-YAML-LibYAML’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-16266
2014-12-04 05:22:28
——————————————————————————–

Name : perl-YAML-LibYAML
Product : Fedora 20
Version : 0.54
Release : 1.fc20
URL : http://search.cpan.org/dist/YAML-LibYAML/
Summary : Perl YAML Serialization using XS and libyaml
Description :
Kirill Siminov’s “libyaml” is arguably the best YAML implementation. The C
library is written precisely to the YAML 1.1 specification. It was originally
bound to Python and was later bound to Ruby.

——————————————————————————–
Update Information:

An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash.
——————————————————————————–
ChangeLog:

* Sun Nov 30 2014 Paul Howarth <paul@city-fan.org> – 0.54-1
– Update to 0.54
– Fix for an edge case in scanner that results in an assert() failing
(https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure)
(CVE-2014-9130)
– Drop upstreamed patches for CVE-2013-6393 and CVE-2014-2525
* Tue Nov 18 2014 Jitka Plesnikova <jplesnik@redhat.com> – 0.52-3
– Update BRs (bz#1165198)
* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> – 0.52-2
– Perl 5.20 rebuild
* Sun Aug 24 2014 Paul Howarth <paul@city-fan.org> – 0.52-1
– Update to 0.52
– Fix e1 test failure on 5.21.4
* Mon Aug 18 2014 Paul Howarth <paul@city-fan.org> – 0.51-1
– Update to 0.51 (various minor tidy-ups, no functional changes)
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 0.47-2
– Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Aug 9 2014 Paul Howarth <paul@city-fan.org> – 0.47-1
– Update to 0.47:
– Fix swim errors
– Include upstream license file
* Wed Aug 6 2014 Jitka Plesnikova <jplesnik@redhat.com> – 0.46-1
– 0.46 bump
* Tue Aug 5 2014 Jitka Plesnikova <jplesnik@redhat.com> – 0.45-1
– 0.45 bump
* Mon Jul 14 2014 Jitka Plesnikova <jplesnik@redhat.com> – 0.44-1
– 0.44 bump
* Sat Jun 7 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 0.41-5
– Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Mar 27 2014 Paul Howarth <paul@city-fan.org> – 0.41-4
– Fix LibYAML input sanitization errors (CVE-2014-2525)
– Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
——————————————————————————–
References:

[ 1 ] Bug #1169369 – CVE-2014-9130 libyaml: assert failure when processing wrapped strings
https://bugzilla.redhat.com/show_bug.cgi?id=1169369
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update perl-YAML-LibYAML’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

AutorTomislav Protega
Cert idNCERT-REF-2014-12-0009-ADV
CveCVE-2014-9130 CVE-2014-2525 CVE-2013-6393
ID izvornikaFEDORA-2014-16073 FEDORA-2014-16130 FEDORA-2014-16132 FEDORA-2014-16210 FEDORA-2014-16266
Proizvodlibyaml perl-YAML-LibYAML
Izvorhttp://www.redhat.com
Top
More in Preporuke
Sigurnosni nedostatak programskog paketa graphviz

Otkriven je sigurnosni nedostatak u programskom paketu graphviz. Otkriveni nedostatak se javlja prilikom obrade poruka o greškama. Potencijalnim napadačima omogućuju...

Close