Vulnerability-Lookup

CVE-2014-2525 (GCVE-0-2014-2525)

Vulnerability from cvelistv5 – Published: 2014-03-28 15:00 – Updated: 2024-08-06 10:14

Summary

Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

22 references

URL	Tags
http://www.securityfocus.com/bid/66478	vdb-entryx_refsource_BID
http://secunia.com/advisories/57836	third-party-advisoryx_refsource_SECUNIA
https://puppet.com/security/cve/cve-2014-2525	x_refsource_CONFIRM
http://www.mandriva.com/security/advisories?name=…	vendor-advisoryx_refsource_MANDRIVA
http://www.ocert.org/advisories/ocert-2014-003.html	x_refsource_MISC
http://www.debian.org/security/2014/dsa-2885	vendor-advisoryx_refsource_DEBIAN
http://www.ubuntu.com/usn/USN-2160-1	vendor-advisoryx_refsource_UBUNTU
http://lists.opensuse.org/opensuse-updates/2015-0…	vendor-advisoryx_refsource_SUSE
http://rhn.redhat.com/errata/RHSA-2014-0355.html	vendor-advisoryx_refsource_REDHAT
http://www.debian.org/security/2014/dsa-2884	vendor-advisoryx_refsource_DEBIAN
http://rhn.redhat.com/errata/RHSA-2014-0354.html	vendor-advisoryx_refsource_REDHAT
http://www.getchef.com/blog/2014/04/09/chef-serve…	x_refsource_CONFIRM
https://bitbucket.org/xi/libyaml/commits/bce8b60f…	x_refsource_CONFIRM
http://advisories.mageia.org/MGASA-2014-0150.html	x_refsource_CONFIRM
http://lists.opensuse.org/opensuse-updates/2014-0…	vendor-advisoryx_refsource_SUSE
http://support.apple.com/kb/HT6443	x_refsource_CONFIRM
http://lists.opensuse.org/opensuse-updates/2016-0…	vendor-advisoryx_refsource_SUSE
http://rhn.redhat.com/errata/RHSA-2014-0353.html	vendor-advisoryx_refsource_REDHAT
http://secunia.com/advisories/57968	third-party-advisoryx_refsource_SECUNIA
http://www.getchef.com/blog/2014/04/09/enterprise…	x_refsource_CONFIRM
http://www.getchef.com/blog/2014/04/09/enterprise…	x_refsource_CONFIRM
http://secunia.com/advisories/57966	third-party-advisoryx_refsource_SECUNIA

Date Public

2014-03-26 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T10:14:26.613Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "66478",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/66478"
          },
          {
            "name": "57836",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/57836"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppet.com/security/cve/cve-2014-2525"
          },
          {
            "name": "MDVSA-2015:060",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:060"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.ocert.org/advisories/ocert-2014-003.html"
          },
          {
            "name": "DSA-2885",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-2885"
          },
          {
            "name": "USN-2160-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2160-1"
          },
          {
            "name": "openSUSE-SU-2015:0319",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html"
          },
          {
            "name": "RHSA-2014:0355",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0355.html"
          },
          {
            "name": "DSA-2884",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-2884"
          },
          {
            "name": "RHSA-2014:0354",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0354.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://advisories.mageia.org/MGASA-2014-0150.html"
          },
          {
            "name": "openSUSE-SU-2014:0500",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://support.apple.com/kb/HT6443"
          },
          {
            "name": "openSUSE-SU-2016:1067",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html"
          },
          {
            "name": "RHSA-2014:0353",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0353.html"
          },
          {
            "name": "57968",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/57968"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/"
          },
          {
            "name": "57966",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/57966"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-03-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-12-08T10:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "66478",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/66478"
        },
        {
          "name": "57836",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/57836"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppet.com/security/cve/cve-2014-2525"
        },
        {
          "name": "MDVSA-2015:060",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:060"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.ocert.org/advisories/ocert-2014-003.html"
        },
        {
          "name": "DSA-2885",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-2885"
        },
        {
          "name": "USN-2160-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2160-1"
        },
        {
          "name": "openSUSE-SU-2015:0319",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html"
        },
        {
          "name": "RHSA-2014:0355",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0355.html"
        },
        {
          "name": "DSA-2884",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-2884"
        },
        {
          "name": "RHSA-2014:0354",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0354.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://advisories.mageia.org/MGASA-2014-0150.html"
        },
        {
          "name": "openSUSE-SU-2014:0500",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://support.apple.com/kb/HT6443"
        },
        {
          "name": "openSUSE-SU-2016:1067",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html"
        },
        {
          "name": "RHSA-2014:0353",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0353.html"
        },
        {
          "name": "57968",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/57968"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/"
        },
        {
          "name": "57966",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/57966"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2014-2525",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "66478",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/66478"
            },
            {
              "name": "57836",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/57836"
            },
            {
              "name": "https://puppet.com/security/cve/cve-2014-2525",
              "refsource": "CONFIRM",
              "url": "https://puppet.com/security/cve/cve-2014-2525"
            },
            {
              "name": "MDVSA-2015:060",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:060"
            },
            {
              "name": "http://www.ocert.org/advisories/ocert-2014-003.html",
              "refsource": "MISC",
              "url": "http://www.ocert.org/advisories/ocert-2014-003.html"
            },
            {
              "name": "DSA-2885",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-2885"
            },
            {
              "name": "USN-2160-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2160-1"
            },
            {
              "name": "openSUSE-SU-2015:0319",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html"
            },
            {
              "name": "RHSA-2014:0355",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0355.html"
            },
            {
              "name": "DSA-2884",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-2884"
            },
            {
              "name": "RHSA-2014:0354",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0354.html"
            },
            {
              "name": "http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/",
              "refsource": "CONFIRM",
              "url": "http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/"
            },
            {
              "name": "https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048",
              "refsource": "CONFIRM",
              "url": "https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048"
            },
            {
              "name": "http://advisories.mageia.org/MGASA-2014-0150.html",
              "refsource": "CONFIRM",
              "url": "http://advisories.mageia.org/MGASA-2014-0150.html"
            },
            {
              "name": "openSUSE-SU-2014:0500",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html"
            },
            {
              "name": "http://support.apple.com/kb/HT6443",
              "refsource": "CONFIRM",
              "url": "http://support.apple.com/kb/HT6443"
            },
            {
              "name": "openSUSE-SU-2016:1067",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html"
            },
            {
              "name": "RHSA-2014:0353",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0353.html"
            },
            {
              "name": "57968",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/57968"
            },
            {
              "name": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/",
              "refsource": "CONFIRM",
              "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
            },
            {
              "name": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/",
              "refsource": "CONFIRM",
              "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/"
            },
            {
              "name": "57966",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/57966"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2014-2525",
    "datePublished": "2014-03-28T15:00:00.000Z",
    "dateReserved": "2014-03-17T00:00:00.000Z",
    "dateUpdated": "2024-08-06T10:14:26.613Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2014-2525",
      "date": "2026-06-05",
      "epss": "0.61898",
      "percentile": "0.98366"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-2525\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2014-03-28T15:55:08.670\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.\"},{\"lang\":\"es\",\"value\":\"Desbordamiento de buffer basado en memoria din\u00e1mica en la funci\u00f3n yaml_parser_scan_uri_escapes en LibYAML anterior a 0.1.6 permite a atacantes dependientes de contexto ejecutar c\u00f3digo arbitrario a trav\u00e9s de una secuencia larga de caracteres codificados de porcentaje en una URI en un archivo YAML.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pyyaml:libyaml:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"0.1.5\",\"matchCriteriaId\":\"BF15A6D7-D1CD-4B9A-8A90-81E441C531EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pyyaml:libyaml:0.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F454F77-1AB1-44CF-8E1F-47BD71966CB8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pyyaml:libyaml:0.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F2A3FC6-ADD6-4890-A91E-7B42138CB1B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pyyaml:libyaml:0.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7892D90-243C-4588-92D0-F49B3443B3DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pyyaml:libyaml:0.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9759A8FD-7010-4D10-9E26-A03FDDDA187B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pyyaml:libyaml:0.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7AE63A49-551A-4C0F-8ED9-AE1DB049B141\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4863BE36-D16A-4D75-90D9-FD76DB5B48B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A10BC294-9196-425F-9FB0-B1625465B47F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"03117DF1-3BEC-4B8D-AD63-DBBDB2126081\"}]}]}],\"references\":[{\"url\":\"http://advisories.mageia.org/MGASA-2014-0150.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0353.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0354.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0355.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/57836\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/57966\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/57968\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://support.apple.com/kb/HT6443\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.debian.org/security/2014/dsa-2884\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.debian.org/security/2014/dsa-2885\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2015:060\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.ocert.org/advisories/ocert-2014-003.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.securityfocus.com/bid/66478\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2160-1\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"https://puppet.com/security/cve/cve-2014-2525\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://advisories.mageia.org/MGASA-2014-0150.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0353.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0354.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0355.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/57836\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/57966\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/57968\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://support.apple.com/kb/HT6443\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2014/dsa-2884\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2014/dsa-2885\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2015:060\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ocert.org/advisories/ocert-2014-003.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.securityfocus.com/bid/66478\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2160-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"https://puppet.com/security/cve/cve-2014-2525\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

RHSA-2014:0415

Vulnerability from csaf_redhat - Published: 2014-04-17 12:01 - Updated: 2026-03-13 01:03

Summary

Red Hat Security Advisory: libyaml security update

Severity

Important

Notes

Topic: Updated libyaml packages that fix two security issues are now available for Red Hat Common for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Details: YAML is a data serialization format designed for human readability and interaction with scripting languages. LibYAML is a YAML parser and emitter written in C. A buffer overflow flaw was found in the way the libyaml library parsed URLs in YAML documents. An attacker able to load specially crafted YAML input to an application using libyaml could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2014-2525) An integer overflow flaw was found in the way the libyaml library handled excessively long YAML tags. An attacker able to load specially crafted YAML input to application using libyaml could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2013-6393) Red Hat would like to thank oCERT for reporting the CVE-2014-2525 issue. oCERT acknowledges Ivan Fratric of the Google Security Team as the original reporter. The CVE-2013-6393 issue was discovered by Florian Weimer of the Red Hat Product Security Team. Note: In their default configuration, applications distributed via the Red Hat Common channel do not use the libyaml library for parsing YAML, and are therefore not vulnerable to these issues. All libyaml users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications linked against the libyaml library must be restarted for this update to take effect.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2013-6393

A heap based buffer oveflow exists in the libyaml package such that a remote attacker could provide a specifically crafted YAML document when parsed by the application could result in remote code execution and complete compromise of the system.

4.3 ()


                        
                          AV:A/AC:H/Au:N/C:P/I:P/A:P

CWE-122 - Heap-based Buffer Overflow

Affected products

Fixed 7 products

Product	Version	Remediation
Unresolved product id: 6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.i686	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.src	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.x86_64	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.i686	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.i686	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2014-2525

A heap based buffer overflow exists in the libyaml package such that an attacker by supplying a specially crafted yaml document when parsed by the application might result in remote code execution leading to complete compromise of the system.

6.8 ()


                        
                          AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-122 - Heap-based Buffer Overflow

Affected products

Fixed 7 products

Product	Version	Remediation
Unresolved product id: 6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.i686	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.src	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.x86_64	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.i686	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.i686	—	Vendor Fix fix Workaround
Unresolved product id: 6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

References

13 references

URL	Category
https://access.redhat.com/errata/RHSA-2014:0415	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=1033990	external
https://bugzilla.redhat.com/show_bug.cgi?id=1078083	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2013-6393	self
https://bugzilla.redhat.com/show_bug.cgi?id=1033990	external
https://www.cve.org/CVERecord?id=CVE-2013-6393	external
https://nvd.nist.gov/vuln/detail/CVE-2013-6393	external
https://access.redhat.com/security/cve/CVE-2014-2525	self
https://bugzilla.redhat.com/show_bug.cgi?id=1078083	external
https://www.cve.org/CVERecord?id=CVE-2014-2525	external
https://nvd.nist.gov/vuln/detail/CVE-2014-2525	external

Acknowledgments

Red Hat Product Security Team Florian Weimer

oCERT

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated libyaml packages that fix two security issues are now available for\nRed Hat Common for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "YAML is a data serialization format designed for human readability and\ninteraction with scripting languages. LibYAML is a YAML parser and emitter\nwritten in C.\n\nA buffer overflow flaw was found in the way the libyaml library parsed URLs\nin YAML documents. An attacker able to load specially crafted YAML input to\nan application using libyaml could cause the application to crash or,\npotentially, execute arbitrary code with the privileges of the user running\nthe application. (CVE-2014-2525)\n\nAn integer overflow flaw was found in the way the libyaml library handled\nexcessively long YAML tags. An attacker able to load specially crafted YAML\ninput to application using libyaml could cause the application to crash or,\npotentially, execute arbitrary code with the privileges of the user running\nthe application. (CVE-2013-6393)\n\nRed Hat would like to thank oCERT for reporting the CVE-2014-2525 issue.\noCERT acknowledges Ivan Fratric of the Google Security Team as the original\nreporter. The CVE-2013-6393 issue was discovered by Florian Weimer of the\nRed Hat Product Security Team.\n\nNote: In their default configuration, applications distributed via the Red\nHat Common channel do not use the libyaml library for parsing YAML, and are\ntherefore not vulnerable to these issues.\n\nAll libyaml users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. All running\napplications linked against the libyaml library must be restarted for this\nupdate to take effect.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0415",
        "url": "https://access.redhat.com/errata/RHSA-2014:0415"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "1033990",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1033990"
      },
      {
        "category": "external",
        "summary": "1078083",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1078083"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0415.json"
      }
    ],
    "title": "Red Hat Security Advisory: libyaml security update",
    "tracking": {
      "current_release_date": "2026-03-13T01:03:51+00:00",
      "generator": {
        "date": "2026-03-13T01:03:51+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.3"
        }
      },
      "id": "RHSA-2014:0415",
      "initial_release_date": "2014-04-17T12:01:57+00:00",
      "revision_history": [
        {
          "date": "2014-04-17T12:01:57+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-04-17T12:01:57+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-13T01:03:51+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Common for RHEL Server (v. 6)",
                "product": {
                  "name": "Red Hat Common for RHEL Server (v. 6)",
                  "product_id": "6Server-RH-Common",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_common:6::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Common"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
                "product": {
                  "name": "libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
                  "product_id": "libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libyaml-debuginfo@0.1.3-1.4.el6?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "libyaml-0:0.1.3-1.4.el6.i686",
                "product": {
                  "name": "libyaml-0:0.1.3-1.4.el6.i686",
                  "product_id": "libyaml-0:0.1.3-1.4.el6.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libyaml@0.1.3-1.4.el6?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "libyaml-devel-0:0.1.3-1.4.el6.i686",
                "product": {
                  "name": "libyaml-devel-0:0.1.3-1.4.el6.i686",
                  "product_id": "libyaml-devel-0:0.1.3-1.4.el6.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libyaml-devel@0.1.3-1.4.el6?arch=i686"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i686"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
                "product": {
                  "name": "libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
                  "product_id": "libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libyaml-debuginfo@0.1.3-1.4.el6?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "libyaml-0:0.1.3-1.4.el6.x86_64",
                "product": {
                  "name": "libyaml-0:0.1.3-1.4.el6.x86_64",
                  "product_id": "libyaml-0:0.1.3-1.4.el6.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libyaml@0.1.3-1.4.el6?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "libyaml-devel-0:0.1.3-1.4.el6.x86_64",
                "product": {
                  "name": "libyaml-devel-0:0.1.3-1.4.el6.x86_64",
                  "product_id": "libyaml-devel-0:0.1.3-1.4.el6.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libyaml-devel@0.1.3-1.4.el6?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libyaml-0:0.1.3-1.4.el6.src",
                "product": {
                  "name": "libyaml-0:0.1.3-1.4.el6.src",
                  "product_id": "libyaml-0:0.1.3-1.4.el6.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libyaml@0.1.3-1.4.el6?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libyaml-0:0.1.3-1.4.el6.i686 as a component of Red Hat Common for RHEL Server (v. 6)",
          "product_id": "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.i686"
        },
        "product_reference": "libyaml-0:0.1.3-1.4.el6.i686",
        "relates_to_product_reference": "6Server-RH-Common"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libyaml-0:0.1.3-1.4.el6.src as a component of Red Hat Common for RHEL Server (v. 6)",
          "product_id": "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.src"
        },
        "product_reference": "libyaml-0:0.1.3-1.4.el6.src",
        "relates_to_product_reference": "6Server-RH-Common"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libyaml-0:0.1.3-1.4.el6.x86_64 as a component of Red Hat Common for RHEL Server (v. 6)",
          "product_id": "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.x86_64"
        },
        "product_reference": "libyaml-0:0.1.3-1.4.el6.x86_64",
        "relates_to_product_reference": "6Server-RH-Common"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libyaml-debuginfo-0:0.1.3-1.4.el6.i686 as a component of Red Hat Common for RHEL Server (v. 6)",
          "product_id": "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.i686"
        },
        "product_reference": "libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
        "relates_to_product_reference": "6Server-RH-Common"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64 as a component of Red Hat Common for RHEL Server (v. 6)",
          "product_id": "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64"
        },
        "product_reference": "libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
        "relates_to_product_reference": "6Server-RH-Common"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libyaml-devel-0:0.1.3-1.4.el6.i686 as a component of Red Hat Common for RHEL Server (v. 6)",
          "product_id": "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.i686"
        },
        "product_reference": "libyaml-devel-0:0.1.3-1.4.el6.i686",
        "relates_to_product_reference": "6Server-RH-Common"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libyaml-devel-0:0.1.3-1.4.el6.x86_64 as a component of Red Hat Common for RHEL Server (v. 6)",
          "product_id": "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.x86_64"
        },
        "product_reference": "libyaml-devel-0:0.1.3-1.4.el6.x86_64",
        "relates_to_product_reference": "6Server-RH-Common"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Florian Weimer"
          ],
          "organization": "Red Hat Product Security Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-6393",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "discovery_date": "2013-11-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1033990"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A heap based buffer oveflow exists in the libyaml package such that a remote attacker could provide a specifically crafted YAML document when parsed by the application could result in remote code execution and complete compromise of the system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "libyaml: heap-based buffer overflow when parsing YAML tags",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The Red Hat security response team has rated this issue as having low security impact in Red Hat Enterpise MRG 1 and 2, CloudForms 3, and Red Hat Network Satellite 5. This issue is not currently planned to be addressed in future updates.Redhat satellite 6 does not ship libyaml\n\nThe Red Hat security response team has rated this issue as having low security impact in Red Hat Update Infrastructure. A future update may address this issue. \n\nThe Red Hat security response team has rated this issue as having moderate security impact in Subscription Asset Manager 1. A future update may address this issue.\n\nFor additional information, refer to the Issue Severity Classification:\nhttps://access.redhat.com/security/updates/classification/",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.i686",
          "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.src",
          "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.x86_64",
          "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
          "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
          "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.i686",
          "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-6393"
        },
        {
          "category": "external",
          "summary": "RHBZ#1033990",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1033990"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-6393",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-6393"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6393",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6393"
        }
      ],
      "release_date": "2014-01-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-17T12:01:57+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.src",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0415"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.src",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.src",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "libyaml: heap-based buffer overflow when parsing YAML tags"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "oCERT"
          ]
        }
      ],
      "cve": "CVE-2014-2525",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "discovery_date": "2014-03-18T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1078083"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A heap based buffer overflow exists in the libyaml package such that an attacker by supplying a specially crafted yaml document when parsed by the application might result in remote code execution leading to complete compromise of the system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "libyaml: heap-based buffer overflow when parsing URLs",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Redhat satellite does not ship libyaml package but instead consumes the package from the RHEL distribution which is why it has been marked as not affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.i686",
          "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.src",
          "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.x86_64",
          "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
          "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
          "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.i686",
          "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-2525"
        },
        {
          "category": "external",
          "summary": "RHBZ#1078083",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1078083"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-2525",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-2525"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-2525",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2525"
        }
      ],
      "release_date": "2014-03-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-17T12:01:57+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.src",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0415"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.src",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.src",
            "6Server-RH-Common:libyaml-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-debuginfo-0:0.1.3-1.4.el6.x86_64",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.i686",
            "6Server-RH-Common:libyaml-devel-0:0.1.3-1.4.el6.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "libyaml: heap-based buffer overflow when parsing URLs"
    }
  ]
}

SUSE-SU-2015:0953-1

Vulnerability from csaf_suse - Published: 2015-02-10 14:18 - Updated: 2015-02-10 14:18

Summary

Security update for perl-YAML-LibYAML

Severity

Moderate

Notes

Title of the patch: Security update for perl-YAML-LibYAML

Description of the patch: perl-YAML-LibYAML was updated to fix three security issues. These security issues were fixed: - CVE-2013-6393: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performed an incorrect cast, which allowed remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggered a heap-based buffer overflow (bnc#860617, bnc#911782). - CVE-2014-9130: scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allowed context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping (bnc#907809, bnc#911782). - CVE-2014-2525: Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allowed context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file (bnc#868944, bnc#911782).

Patchnames: SUSE-SLE-SERVER-12-2015-215

CVE-2013-6393

Affected products

Recommended 6 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2014-2525

Affected products

Recommended 6 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2014-9130

Affected products

Recommended 6 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

21 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/860617	self
https://bugzilla.suse.com/868944	self
https://bugzilla.suse.com/907809	self
https://bugzilla.suse.com/911782	self
https://www.suse.com/security/cve/CVE-2013-6393/	self
https://www.suse.com/security/cve/CVE-2014-2525/	self
https://www.suse.com/security/cve/CVE-2014-9130/	self
https://www.suse.com/security/cve/CVE-2013-6393	external
https://bugzilla.suse.com/860617	external
https://bugzilla.suse.com/911782	external
https://www.suse.com/security/cve/CVE-2014-2525	external
https://bugzilla.suse.com/868944	external
https://bugzilla.suse.com/911782	external
https://www.suse.com/security/cve/CVE-2014-9130	external
https://bugzilla.suse.com/907809	external
https://bugzilla.suse.com/911782	external
https://bugzilla.suse.com/921588	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for perl-YAML-LibYAML",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "perl-YAML-LibYAML was updated to fix three security issues.\n\nThese security issues were fixed:\n- CVE-2013-6393: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performed an incorrect cast, which allowed remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggered a heap-based buffer overflow (bnc#860617, bnc#911782).\n- CVE-2014-9130: scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allowed context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping (bnc#907809, bnc#911782).\n- CVE-2014-2525: Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allowed context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file (bnc#868944, bnc#911782).\n  ",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLE-SERVER-12-2015-215",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2015_0953-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2015:0953-1",
        "url": "https://www.suse.com/support/update/announcement/2015/suse-su-20150953-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2015:0953-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2015-May/001411.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 860617",
        "url": "https://bugzilla.suse.com/860617"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 868944",
        "url": "https://bugzilla.suse.com/868944"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 907809",
        "url": "https://bugzilla.suse.com/907809"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 911782",
        "url": "https://bugzilla.suse.com/911782"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2013-6393 page",
        "url": "https://www.suse.com/security/cve/CVE-2013-6393/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2014-2525 page",
        "url": "https://www.suse.com/security/cve/CVE-2014-2525/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2014-9130 page",
        "url": "https://www.suse.com/security/cve/CVE-2014-9130/"
      }
    ],
    "title": "Security update for perl-YAML-LibYAML",
    "tracking": {
      "current_release_date": "2015-02-10T14:18:22Z",
      "generator": {
        "date": "2015-02-10T14:18:22Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2015:0953-1",
      "initial_release_date": "2015-02-10T14:18:22Z",
      "revision_history": [
        {
          "date": "2015-02-10T14:18:22Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "perl-YAML-LibYAML-0.38-10.1.ppc64le",
                "product": {
                  "name": "perl-YAML-LibYAML-0.38-10.1.ppc64le",
                  "product_id": "perl-YAML-LibYAML-0.38-10.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "perl-YAML-LibYAML-0.38-10.1.s390x",
                "product": {
                  "name": "perl-YAML-LibYAML-0.38-10.1.s390x",
                  "product_id": "perl-YAML-LibYAML-0.38-10.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "perl-YAML-LibYAML-0.38-10.1.x86_64",
                "product": {
                  "name": "perl-YAML-LibYAML-0.38-10.1.x86_64",
                  "product_id": "perl-YAML-LibYAML-0.38-10.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 12",
                "product": {
                  "name": "SUSE Linux Enterprise Server 12",
                  "product_id": "SUSE Linux Enterprise Server 12",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:12"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 12",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 12",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 12",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:12"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.ppc64le as component of SUSE Linux Enterprise Server 12",
          "product_id": "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.s390x as component of SUSE Linux Enterprise Server 12",
          "product_id": "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.x86_64 as component of SUSE Linux Enterprise Server 12",
          "product_id": "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2013-6393",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2013-6393"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2013-6393",
          "url": "https://www.suse.com/security/cve/CVE-2013-6393"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 860617 for CVE-2013-6393",
          "url": "https://bugzilla.suse.com/860617"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 911782 for CVE-2013-6393",
          "url": "https://bugzilla.suse.com/911782"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2015-02-10T14:18:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2013-6393"
    },
    {
      "cve": "CVE-2014-2525",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2014-2525"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2014-2525",
          "url": "https://www.suse.com/security/cve/CVE-2014-2525"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 868944 for CVE-2014-2525",
          "url": "https://bugzilla.suse.com/868944"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 911782 for CVE-2014-2525",
          "url": "https://bugzilla.suse.com/911782"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2015-02-10T14:18:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2014-2525"
    },
    {
      "cve": "CVE-2014-9130",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2014-9130"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2014-9130",
          "url": "https://www.suse.com/security/cve/CVE-2014-9130"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 907809 for CVE-2014-9130",
          "url": "https://bugzilla.suse.com/907809"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 911782 for CVE-2014-9130",
          "url": "https://bugzilla.suse.com/911782"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 921588 for CVE-2014-9130",
          "url": "https://bugzilla.suse.com/921588"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2015-02-10T14:18:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2014-9130"
    }
  ]
}

SUSE-SU-2015:0953-2

Vulnerability from csaf_suse - Published: 2015-02-10 14:18 - Updated: 2015-02-10 14:18

Summary

Security update for perl-YAML-LibYAML

Severity

Moderate

Notes

Title of the patch: Security update for perl-YAML-LibYAML

Patchnames: SUSE-SLE-DESKTOP-12-2015-215,SUSE-SLE-SERVER-12-2015-215

CVE-2013-6393

Affected products

Recommended 7 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Desktop 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2014-2525

Affected products

Recommended 7 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Desktop 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2014-9130

Affected products

Recommended 7 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Desktop 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

21 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/860617	self
https://bugzilla.suse.com/868944	self
https://bugzilla.suse.com/907809	self
https://bugzilla.suse.com/911782	self
https://www.suse.com/security/cve/CVE-2013-6393/	self
https://www.suse.com/security/cve/CVE-2014-2525/	self
https://www.suse.com/security/cve/CVE-2014-9130/	self
https://www.suse.com/security/cve/CVE-2013-6393	external
https://bugzilla.suse.com/860617	external
https://bugzilla.suse.com/911782	external
https://www.suse.com/security/cve/CVE-2014-2525	external
https://bugzilla.suse.com/868944	external
https://bugzilla.suse.com/911782	external
https://www.suse.com/security/cve/CVE-2014-9130	external
https://bugzilla.suse.com/907809	external
https://bugzilla.suse.com/911782	external
https://bugzilla.suse.com/921588	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for perl-YAML-LibYAML",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "perl-YAML-LibYAML was updated to fix three security issues.\n\nThese security issues were fixed:\n- CVE-2013-6393: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performed an incorrect cast, which allowed remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggered a heap-based buffer overflow (bnc#860617, bnc#911782).\n- CVE-2014-9130: scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allowed context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping (bnc#907809, bnc#911782).\n- CVE-2014-2525: Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allowed context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file (bnc#868944, bnc#911782).\n  ",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLE-DESKTOP-12-2015-215,SUSE-SLE-SERVER-12-2015-215",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2015_0953-2.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2015:0953-2",
        "url": "https://www.suse.com/support/update/announcement/2015/suse-su-20150953-2/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2015:0953-2",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2015-May/001412.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 860617",
        "url": "https://bugzilla.suse.com/860617"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 868944",
        "url": "https://bugzilla.suse.com/868944"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 907809",
        "url": "https://bugzilla.suse.com/907809"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 911782",
        "url": "https://bugzilla.suse.com/911782"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2013-6393 page",
        "url": "https://www.suse.com/security/cve/CVE-2013-6393/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2014-2525 page",
        "url": "https://www.suse.com/security/cve/CVE-2014-2525/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2014-9130 page",
        "url": "https://www.suse.com/security/cve/CVE-2014-9130/"
      }
    ],
    "title": "Security update for perl-YAML-LibYAML",
    "tracking": {
      "current_release_date": "2015-02-10T14:18:22Z",
      "generator": {
        "date": "2015-02-10T14:18:22Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2015:0953-2",
      "initial_release_date": "2015-02-10T14:18:22Z",
      "revision_history": [
        {
          "date": "2015-02-10T14:18:22Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "perl-YAML-LibYAML-0.38-10.1.ppc64le",
                "product": {
                  "name": "perl-YAML-LibYAML-0.38-10.1.ppc64le",
                  "product_id": "perl-YAML-LibYAML-0.38-10.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "perl-YAML-LibYAML-0.38-10.1.s390x",
                "product": {
                  "name": "perl-YAML-LibYAML-0.38-10.1.s390x",
                  "product_id": "perl-YAML-LibYAML-0.38-10.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "perl-YAML-LibYAML-0.38-10.1.x86_64",
                "product": {
                  "name": "perl-YAML-LibYAML-0.38-10.1.x86_64",
                  "product_id": "perl-YAML-LibYAML-0.38-10.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Desktop 12",
                "product": {
                  "name": "SUSE Linux Enterprise Desktop 12",
                  "product_id": "SUSE Linux Enterprise Desktop 12",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sled:12"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 12",
                "product": {
                  "name": "SUSE Linux Enterprise Server 12",
                  "product_id": "SUSE Linux Enterprise Server 12",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:12"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 12",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 12",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 12",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:12"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.x86_64 as component of SUSE Linux Enterprise Desktop 12",
          "product_id": "SUSE Linux Enterprise Desktop 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Desktop 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.ppc64le as component of SUSE Linux Enterprise Server 12",
          "product_id": "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.s390x as component of SUSE Linux Enterprise Server 12",
          "product_id": "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.x86_64 as component of SUSE Linux Enterprise Server 12",
          "product_id": "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-YAML-LibYAML-0.38-10.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
        },
        "product_reference": "perl-YAML-LibYAML-0.38-10.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2013-6393",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2013-6393"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Desktop 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2013-6393",
          "url": "https://www.suse.com/security/cve/CVE-2013-6393"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 860617 for CVE-2013-6393",
          "url": "https://bugzilla.suse.com/860617"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 911782 for CVE-2013-6393",
          "url": "https://bugzilla.suse.com/911782"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Desktop 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2015-02-10T14:18:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2013-6393"
    },
    {
      "cve": "CVE-2014-2525",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2014-2525"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Desktop 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2014-2525",
          "url": "https://www.suse.com/security/cve/CVE-2014-2525"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 868944 for CVE-2014-2525",
          "url": "https://bugzilla.suse.com/868944"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 911782 for CVE-2014-2525",
          "url": "https://bugzilla.suse.com/911782"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Desktop 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2015-02-10T14:18:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2014-2525"
    },
    {
      "cve": "CVE-2014-9130",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2014-9130"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Desktop 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2014-9130",
          "url": "https://www.suse.com/security/cve/CVE-2014-9130"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 907809 for CVE-2014-9130",
          "url": "https://bugzilla.suse.com/907809"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 911782 for CVE-2014-9130",
          "url": "https://bugzilla.suse.com/911782"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 921588 for CVE-2014-9130",
          "url": "https://bugzilla.suse.com/921588"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Desktop 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server 12:perl-YAML-LibYAML-0.38-10.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12:perl-YAML-LibYAML-0.38-10.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2015-02-10T14:18:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2014-9130"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-2525 (GCVE-0-2014-2525)

RHSA-2014:0415

SUSE-SU-2015:0953-1

SUSE-SU-2015:0953-2

Tags

Sightings

Nomenclature