CVE-2023-33460

Published: 6 June 2023

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash.

Notes

Author	Note
alexmurray	argyll and r-cran-jsonlite appear to vendor a copy of yajl
mdeslaur	as of 2023-06-07, there is no fix available from the upstream yajl project

6.5

Package	Release	Status
argyll Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	jammy	Needs triage
	kinetic	Ignored (end of life, was needs-triage)
	lunar	Ignored (end of life, was needs-triage)
	mantic	Needs triage
	noble	Needs triage
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Needs triage
r-cran-jsonlite Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	jammy	Needs triage
	kinetic	Ignored (end of life, was needs-triage)
	lunar	Ignored (end of life, was needs-triage)
	mantic	Needs triage
	noble	Needs triage
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Needs triage
yajl Launchpad, Ubuntu, Debian	bionic	Released (2.1.0-2ubuntu0.18.04.1~esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	focal	Released (2.1.0-3ubuntu0.20.04.1)
	jammy	Released (2.1.0-3ubuntu0.22.04.1)
	kinetic	Ignored (end of life, was needed)
	lunar	Released (2.1.0-3ubuntu0.23.04.1)
	mantic	Not vulnerable (2.1.0-5)
	noble	Not vulnerable (2.1.0-5)
	trusty	Released (2.0.4-4ubuntu0.1~esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	upstream	Released (2.1.0-3+deb10u2)
	xenial	Released (2.1.0-2ubuntu0.16.04.1~esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	Patches: other: https://github.com/openEuler-BaseService/yajl/commit/3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf other: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.