Lucene search

K
suseSuseSUSE-SU-2022:3397-1
HistorySep 26, 2022 - 12:00 a.m.

Security update for snakeyaml (important)

2022-09-2600:00:00
lists.opensuse.org
29
snakeyaml
update
vulnerabilities
fix
cve-2022-38750
cve-2022-38749
cve-2022-38752
cve-2022-38751
cve-2022-25857
suse
security update
patch
suse linux enterprise
opensuse leap
suse manager server
development tools

0.003 Low

EPSS

Percentile

71.7%

An update that fixes 6 vulnerabilities is now available.

Description:

This update for snakeyaml fixes the following issues:

  • CVE-2022-38750: Fixed uncaught exception in
    org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
    (bsc#1203158).
  • CVE-2022-38749: Fixed StackOverflowError for many open unmatched
    brackets (bsc#1203149).
  • CVE-2022-38752: Fixed uncaught exception in
    java.base/java.util.ArrayList.hashCode (bsc#1203154).
  • CVE-2022-38751: Fixed unrestricted data matched with Regular Expressions
    (bsc#1203153).
  • CVE-2022-25857: Fixed denial of service vulnerability due missing to
    nested depth limitation for collections (bsc#1202932).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4:

    zypper in -t patch openSUSE-SLE-15.4-2022-3397=1

  • openSUSE Leap 15.3:

    zypper in -t patch openSUSE-SLE-15.3-2022-3397=1

  • SUSE Linux Enterprise Module for SUSE Manager Server 4.3:

    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2022-3397=1

  • SUSE Linux Enterprise Module for SUSE Manager Server 4.2:

    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-3397=1

  • SUSE Linux Enterprise Module for Development Tools 15-SP4:

    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2022-3397=1

  • SUSE Linux Enterprise Module for Development Tools 15-SP3:

    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-3397=1