springboot Upgrade to Snakeyaml 1.26

This is required in both 2.1.x and 2.2.x

Comment From: wilkinsona

Thanks for the suggestion, but we do not upgrade to new minor versions of a dependency in maintenance releases of Spring Boot. We'll pick up SnakeYAML 1.26 in Spring Boot 2.3 in due course as part of our semi-automated dependency upgrade process.

Comment From: dberrueta-atlassian

Hi @wilkinsona . SnakeYaml 1.25 (the version currently included in Spring Boot 2.2.x) is affected by DoS vulnerability, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

I'm not familiar enough with Spring Boot to know if this library is used to parse untrusted input, so I'm not sure if Spring Boot 2.2.x is affected by this vulnerability.

The fix was included in SnakeYaml 1.26 according to the release notes: https://bitbucket.org/asomov/snakeyaml/wiki/Changes In case Spring Boot 2.2.x is indeed affected by this problem, what would be the correct process to have it fixed without having to wait for Spring Boot 2.3? (https://github.com/spring-projects/spring-boot/issues/20467).

Thank you

Comment From: bclozel

Hi @dberrueta-atlassian ,

Spring Boot uses SnakeYaml to parse the application configuration - so by default, no untrusted input is fed to the parser.

If applications chose to use the SnakeYaml library to parse untrusted sources, they can always override the version provided by the Spring Boot dependency management as shown in our reference documentation.

In this case, the version property is snakeyaml.version so Maven users can override it like this:

<properties>
    <snakeyaml.version>1.26<snakeyaml.version>
</properties>

Gradle users like this:

ext['snakeyaml.version'] = '1.26'

Comment From: dberrueta-atlassian

Thank you for your answer, @bclozel . It's great to hear that Spring Boot only uses SnakeYaml with trusted inputs. That is exactly the information I needed.