-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4525-1 [email protected]
https://www.debian.org/lts/security/ Andrej Shadura
April 09, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libyaml-syck-perl
Version : 1.34-1+deb11u1
CVE ID : CVE-2025-11683 CVE-2026-4177
Brief introduction
CVE-2025-11683
Missing null terminators in token.c leads to but-of-bounds read
which allows adjacent variable to be read. The issue is seen with
complex YAML files with a hash of all keys and empty values.
CVE-2026-4177
Several security vulnerabilities including a high-severity heap
buffer overflow in the YAML emitter. The heap overflow occurs when
class names exceed the initial 512-byte allocation. The base64
decoder could read past the buffer end on trailing newlines. strtok
mutated n->type_id in place, corrupting shared node data. A memory
leak occurred in syck_hdlr_add_anchor when a node already had an
anchor. The incoming anchor string 'a' was leaked on early return.
For Debian 11 bullseye, these problems have been fixed in version
1.34-1+deb11u1.
We recommend that you upgrade your libyaml-syck-perl packages.
For the detailed security status of libyaml-syck-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libyaml-syck-perl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iHQEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCadfx2QAKCRDoRGtKyMdy
YbyLAPjLsmn1l3CEvsNUA4bCu4FFC7+VXlkMXke9X+PT2IkZAQDa+5V0l4u5IvfL
HF0AOiI2xSlmncvQpkNjWLqwAJ+KCA==
=fg02
-----END PGP SIGNATURE-----
