CVE-2022-1471 - Dependency Snakeyaml Critical 9.8 score vulnerability about uap-java HOT 10 CLOSED

Come on. It's been six more months. Just release an update so all the Maven dependencies can be updated to bring in the version of SnakeYAML that doesn't flag a CVE. It doesn't matter if you think it's a real or imaginary vulnerability. Tools flag the dependencies as having CVEs.

from uap-java.

I think it is safe to update SnakeYAML to 2.0.

See release notes: https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes

PR for this project: #82

from uap-java.

Is there an ETA on when the next release will be made that contains 82 and/or 83?

from uap-java.

I don’t have a specific eta but I will do it once I have some time to evaluate all the recent PRs and requests

from uap-java.

@bpossolo My suggestion would be to make a release that is only the individual pull request to update the SnakeYAML dependency as it has a security vulnerability.

from uap-java.

from my understanding, the “security vulnerability” is not a real vulnerability as has been pointed out by the maintainers of snakeyml.
It’s only a vulnerability if youre using snakeyml to load untrusted content.

i need to figure out if the best path forward is to use a different lib (doesn’t introduce breaking change) or if it should be done at build time (introduced breaking change)

from uap-java.

Guys can you please release a new version ...
This is causing issue with project with uap-java and springboot 3.2+

from uap-java.

Could you please release a version with snake yaml 2.0 ?

from uap-java.

please.. this is really urgent! Can we release version with snake yaml 2.x?

from uap-java.

I'm pleased to announce version 1.6.1 has been released to Maven Central and the security vulnerability has been addressed.

see here for what's changed
https://github.com/ua-parser/uap-java/releases/tag/v1.6.1

from uap-java.