Upgrade org.yaml.snakeyaml to fix CVE-2022-25857 #33355
Labels
status: duplicate
A duplicate of another issue
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Nothing went wrong, this is due to our upgrade policy. |
bclozel
added
status: duplicate
|
Ok, understood for Spring Boot 2.x, but why hasn't it be upgraded for Spring Boot 3.x, which would allow breaking changes? |
|
I don't understand, Spring Boot 3.0.0 depends on SnakeYaml 1.33. Which version should we upgrade to? |
|
Eiks, too many repos on my side, mixed things up :-/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Neither in Spring Boot 2.7.6 nor in 3.0.0, org.yaml.snakeyaml was upgraded to latest release 1.32 or 1.33 fixing
CVE-2022-25857
As this is a managed dependency, is there maybe something wrong with automated upgrade in case of snakeyaml?
We are running several services in production with Spring Boot 2.7.5 and snakeyaml 1.32 without any problems.
PS: There is still another open unfixed security bug in snakeyaml: CVE-2022-41854
The text was updated successfully, but these errors were encountered: