Ubuntu Security Notice 6233-2 - USN-6233-1 fixed vulnerabilities in YAJL. This update provides the corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that YAJL was not properly performing bounds checks when decoding a string with escape sequences. If a user or automated system using YAJL were tricked into processing specially crafted input, an attacker could possibly use this issue to cause a denial of service .
1a79b120418384147adf55646f48f838ca04a6cd9e3d760d119309f406d0434a==========================================================================
Ubuntu Security Notice USN-6233-2
December 14, 2023
yajl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in YAJL.
Software Description:
- yajl: Yet Another JSON Library
Details:
USN-6233-1 fixed vulnerabilities in YAJL. This update provides the
corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu
23.04.
Original advisory details:
It was discovered that YAJL was not properly performing bounds checks when
decoding a string with escape sequences. If a user or automated system
using YAJL were tricked into processing specially crafted input, an
attacker could possibly use this issue to cause a denial of service
(application abort). (CVE-2017-16516)
It was discovered that YAJL was not properly handling memory allocation
when dealing with large inputs, which could lead to heap memory
corruption. If a user or automated system using YAJL were tricked into
running a specially crafted large input, an attacker could possibly use
this issue to cause a denial of service. (CVE-2022-24795)
It was discovered that memory leaks existed in one of the YAJL parsing
functions. An attacker could possibly use this issue to cause a denial of
service (memory exhaustion). (CVE-2023-33460)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
libyajl2 2.1.0-3ubuntu0.23.04.1
Ubuntu 22.04 LTS:
libyajl2 2.1.0-3ubuntu0.22.04.1
Ubuntu 20.04 LTS:
libyajl2 2.1.0-3ubuntu0.20.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6233-2
https://ubuntu.com/security/notices/USN-6233-1
CVE-2017-16516, CVE-2022-24795, CVE-2023-33460
Package Information:
https://launchpad.net/ubuntu/+source/yajl/2.1.0-3ubuntu0.23.04.1
https://launchpad.net/ubuntu/+source/yajl/2.1.0-3ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/yajl/2.1.0-3ubuntu0.20.04.1
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed