Closed jkobejs closed 12 months ago
mziolekda
commented
1 year ago The fix will have to involve switching snakeyaml from 1.33 to 2.0. That version has just been released: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479
zmccoy
commented
1 year ago @jeffmay The fixes here built and tested fine. Do you have any opinions on versioning? Since this is binary incompat we'll need to break the lock step with circe-core releases (which we've done in other areas already) but it causes a bit of whiplash with folk.
cc @zarthross
Thanks!
mziolekda
commented
1 year ago Is there going to be a patch release containing this fix?
jeffmay
commented
1 year ago Ok, I published v0.15.0-RC1 with these upgrades. Please give it a whirl and leave any feedback or upvote the following discussions to make sure these versions are released as stable semantic versions:
fjallstl
commented
1 year ago Is there a plan to make a new release? I can't address the impact of the binary incompatibility that was mentioned, but generally speaking security patches should be prioritised in my opinion.
jeffmay
commented
1 year ago Yea, apologies. I am probably not a good person to manage this repo as I do not use Circe or Scala anymore. I'm happy to give someone else permission to manage this.
jeffmay
commented
12 months ago This is fixed in circe-yaml >= 0.15.0
CVE-2022-1471
Recommended fix is to use SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.