-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 11 Jul 2023 19:55:30 +0200 Source: yajl Architecture: source Version: 2.1.0-3+deb11u2 Distribution: bullseye Urgency: medium Maintainer: John Stamp <jstamp@users.sourceforge.net> Changed-By: Tobias Frost <tobi@debian.org> Closes: 1039984 1040036 Changes: yajl (2.1.0-3+deb11u2) bullseye; urgency=medium . [Tobias Frost] * Non-maintainer upload. * Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5: - CVE-2017-16516: Potential in a denial of service with crafted JSON file - CVE-2022-24795: integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. - CVE-2023-33460: memory leak which potentially can lead to a out-of- memory situation and cause a crash. . [John Stamp] * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036) * The patch for CVE-2023-33460 turned out to be incomplete. Fix that. (Closes: #1039984) Checksums-Sha1: aac9ad12d9a96cf7f143dd2519d8eabde9f8ffd0 1980 yajl_2.1.0-3+deb11u2.dsc ef79354e2721a96be367b8e809baead570c12924 7052 yajl_2.1.0-3+deb11u2.debian.tar.xz c76501121b4057271c957f2bbed9cf512dbf2726 8644 yajl_2.1.0-3+deb11u2_amd64.buildinfo Checksums-Sha256: 2ba7f52774411086f7f082cdd7e7928f081216aa596c9660b5ad3de9ba875711 1980 yajl_2.1.0-3+deb11u2.dsc e942586d6f7990304843050d50d843734fd608f0a3f6b48660972cd93e888799 7052 yajl_2.1.0-3+deb11u2.debian.tar.xz 73ca068f275aee58fc338772cc6106e7e8110a2f47a2d74f52d8e29813920da3 8644 yajl_2.1.0-3+deb11u2_amd64.buildinfo Files: d8b1bc027f7e03ec2b13bf0029407b94 1980 libs optional yajl_2.1.0-3+deb11u2.dsc 148b03e929b561f70bfe86cc01b91eb3 7052 libs optional yajl_2.1.0-3+deb11u2.debian.tar.xz 29a846e44b783f13c0055245aa20ccbc 8644 libs optional yajl_2.1.0-3+deb11u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmS9TnEACgkQkWT6HRe9 XTYZBg//fHytlnzn1HUfU4g9rejP/GaYZtKEs8O82zmD++Y8IsFqSuRl1eYgfFuq wfCudAsmm3UUFjFMCGIjjo6IiMrB8017nXPdOP3EVnE6EhoeHBary7kLPrR2Dz06 t4NnohkNz/slrv/S1CGMjzMXxvAqlKOmUD7cEVVjmh9Kl2S+8Lhh/RFiMJnVSDpi 2c3Rps4ulm3Szyi6q6reLmPDJv2gUwSVhvEkMIiL071ayDzbCmh7A4XtGNCvjAee C4ZaEQ5BiY62jmJE6knVTOCHSAhli72tiAdf7d4SDHiXchnai6alAlvR07JaNXFi lnc5mnhvg+zhYRnXUJLXVpxJqOH3v3SfLGAMvpoMxUIF/gnSu3zVJw+A6YBn+M30 e2+87U8T6mMck6vjZfzZTr1eteFvpsRbcaFRONAMyEXALj68ByKydu7lIFTsMXo9 LVBCiNirYpEq8Ae7fzvzSvYi1Q2r45sRlF9xu+G5QaMpMlb47mGSLp4XLFLoqudg drMlDlVToRV6qdF5KSlRmJ0go4/A2f09qvmFbn/Q8Sz0o/yVw0zZar83chIwO1rJ HnE/gYFPO/+sGfULM1yhW7X3bIe/dhGg8pV7455jcUQVTE02BQPpm3cevuKlCkeD UFY2ZyE31gdvsEDxgbXgnnkeho+NYBc4qI3cdCdpVG0TV7AX1z4= =a8/U -----END PGP SIGNATURE-----