Skip to content

Update yaml_snakeyaml dependency on 2.7.x to fix vulnerability #33531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mathonweb opened this issue Dec 15, 2022 · 1 comment
Closed

Update yaml_snakeyaml dependency on 2.7.x to fix vulnerability #33531

mathonweb opened this issue Dec 15, 2022 · 1 comment
Labels
status: duplicate A duplicate of another issue

Comments

@mathonweb
Copy link

Vulnerability critical CVE-2022-1471 associated to org.yaml_snakeyaml version 1.30. Fixed in version 1.31.

Version 2.7.6 of spring-boot still use version 1.30.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 15, 2022
@bclozel
Copy link
Member

bclozel commented Dec 15, 2022

Duplicates #33457
Also see #32221 to better understand our upgrade policy and why we can’t upgrade in 2.7.x.

@bclozel bclozel closed this as not planned Won't fix, can't repro, duplicate, stale Dec 15, 2022
@bclozel bclozel added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bclozel @spring-projects-issues @mathonweb