1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • CVE-2023-33460, ruby-yajl affected?

    From Anton Gladky@21:1/5 to All on Wed Jul 5 07:00:01 2023
    Hello,

    I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
    is affected. There is no direct dependency on yajl, where the vulnerability
    was detected.

    Should ruby-yajl be unmarked as affected by this CVE?

    Thank you

    Anton

    <div dir="ltr"><div>Hello,</div><div><br></div><div>I am looking into CVE-2023-33460 and I am not sure that ruby-yajl</div><div>is affected. There is no direct dependency on yajl, where the vulnerability</div><div>was detected.</div><div><br></div><div>
    Should ruby-yajl be unmarked as affected by this CVE?<br></div><div><br></div><div>Thank you<br></div><div><div><div dir="ltr" class="gmail_signature"><br>Anton</div></div></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastien =?ISO-8859-1?Q?Roucari=E8s?@21:1/5 to All on Wed Jul 5 11:40:01 2023
    Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :
    Hello,

    I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
    is affected. There is no direct dependency on yajl, where the vulnerability was detected.
    ruby-yajl include a old version of yajl 1.01.12

    The vuln code was introduced by https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010

    Now the question is why this package use a so old version

    Bastien

    Should ruby-yajl be unmarked as affected by this CVE?

    Thank you

    Anton


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tobias Frost@21:1/5 to All on Wed Jul 5 18:20:01 2023
    On Wed, Jul 05, 2023 at 09:06:15AM +0000, Bastien Roucaris wrote:
    Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a crit :
    Hello,

    I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
    is affected. There is no direct dependency on yajl, where the vulnerability was detected.
    ruby-yajl include a old version of yajl 1.01.12

    The vuln code was introduced by https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010

    This matches my investation, however, a small correction: This commit is already part of version 2.0.0.

    I've added note in data/CVE/list accordingly.

    --
    Cheers,
    tobi

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Anton Gladky@21:1/5 to All on Thu Jul 6 06:30:01 2023
    Thanks all for the discussion.
    @Tobias, thanks for marking the CVE in the list.

    Best regards

    Anton


    Am Mi., 5. Juli 2023 um 17:56 Uhr schrieb Tobias Frost <tobi@debian.org>:

    On Wed, Jul 05, 2023 at 09:06:15AM +0000, Bastien Roucaričs wrote:
    Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :
    Hello,

    I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
    is affected. There is no direct dependency on yajl, where the
    vulnerability
    was detected.
    ruby-yajl include a old version of yajl 1.01.12

    The vuln code was introduced by
    https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010

    This matches my investation, however, a small correction: This commit is already part of version 2.0.0.

    I've added note in data/CVE/list accordingly.

    --
    Cheers,
    tobi



    <div dir="ltr"><div>Thanks all for the discussion.</div><div>@Tobias, thanks for marking the CVE in the list.</div><div><br></div><div>Best regards<br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br>Anton</div><
    /div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Mi., 5. Juli 2023 um 17:56 Uhr schrieb Tobias Frost &lt;<a href="mailto:tobi@debian.org">tobi@debian.org</a>&gt;:<br></div><blockquote class="gmail_quote" style="
    margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Jul 05, 2023 at 09:06:15AM +0000, Bastien Roucaričs wrote:<br>
    &gt; Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :<br>
    &gt; &gt; Hello,<br>
    &gt; &gt; <br>
    &gt; &gt; I am looking into CVE-2023-33460 and I am not sure that ruby-yajl<br> &gt; &gt; is affected. There is no direct dependency on yajl, where the vulnerability<br>
    &gt; &gt; was detected.<br>
    &gt; ruby-yajl include a old version of yajl 1.01.12<br>
    &gt; <br>
    &gt; The vuln code was introduced by <a href="https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb" rel="noreferrer" target="_blank">https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb</a> in version 2.1.
    0 in 2010<br>

    This matches my investation, however, a small correction: This commit is already part of version 2.0.0.<br>

    I&#39;ve added note in data/CVE/list accordingly.<br>

    -- <br>
    Cheers,<br>
    tobi<br>

    </blockquote></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)