mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2026-02-23 15:38:27 +01:00
64c17acfe3
As announced in #228, this commit migrates all advisories to the new V2 format, which splits version information into a separate section, and now has a structure which corresponds to the internal code structure of the `rustsec` crate. This is a breaking change for users of `cargo-audit` < 0.9, and anyone who has written a 3rd party advisory format parser.
21 lines
560 B
TOML
21 lines
560 B
TOML
[advisory]
|
|
id = "RUSTSEC-2018-0005"
|
|
package = "serde_yaml"
|
|
date = "2018-09-17"
|
|
title = "Uncontrolled recursion leads to abort in deserialization"
|
|
url = "https://github.com/dtolnay/serde-yaml/pull/105"
|
|
keywords = ["crash"]
|
|
description = """
|
|
Affected versions of this crate did not properly check for recursion
|
|
while deserializing aliases.
|
|
|
|
This allows an attacker to make a YAML file with an alias referring
|
|
to itself causing an abort.
|
|
|
|
The flaw was corrected by checking the recursion depth.
|
|
"""
|
|
|
|
[versions]
|
|
patched = [">= 0.8.4"]
|
|
unaffected = ["< 0.6.0-rc1"]
|