CVE-2022-3064

NameCVE-2022-3064
DescriptionParsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3479-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-yaml.v2 (PTS)bullseye2.4.0-1fixed
bookworm2.4.0-4fixed
trixie2.4.0-5fixed
forky, sid2.4.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-yaml.v2sourcebuster2.2.2-1+deb10u1DLA-3479-1
golang-yaml.v2source(unstable)2.2.8-1

Notes

https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5 (v2.2.4)
Search for package or bug name: Reporting problems