CVE-2014-9130

Description

scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.

How to fix CVE-2014-9130

To remediate CVE-2014-9130, upgrade the affected package to a fixed version below.

• Alpine/yaml—upgrade to 0.1.6-r1 or later
• Debian/libyaml—upgrade to 0.1.4-2+deb7u5 or later
• Debian/libyaml—upgrade to 0.1.6-3 or later
• —upgrade to 0.1.3-1+deb6u5 or later
• —upgrade to 0.33-1+squeeze4 or later
• —upgrade to 0.41-6 or later
• —upgrade to 0.38-3+deb7u3 or later
• —upgrade to 3.11-2 or later
• —upgrade to 3.09-5+deb6u1 or later
• —upgrade to 3.10-4+deb7u1 or later

Is CVE-2014-9130 being exploited?

Likely — EPSS is 57.6%, placing CVE-2014-9130 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (10)

• from 0, < 0.1.6-r1
• from 0, < 0.1.4-2+deb7u5
• from 0, < 0.1.6-3
• from 0, < 0.1.3-1+deb6u5
• from 0, < 0.33-1+squeeze4
• from 0, < 0.41-6
• from 0, < 0.38-3+deb7u3
• from 0, < 3.11-2
• from 0, < 3.09-5+deb6u1
• from 0, < 3.10-4+deb7u1

References (2)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2014-9130
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-9130