Security Information / 2016 / Security Information -- DSA-3577-1 jansson

Debian Security Advisory

DSA-3577-1 jansson -- security update

Date Reported:

14 May 2016

Affected Packages:

jansson

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 823238.
In Mitre's CVE dictionary: CVE-2016-4425.

More information:

Gustavo Grieco discovered that jansson, a C library for encoding, decoding and manipulating JSON data, did not limit the recursion depth when parsing JSON arrays and objects. This could allow remote attackers to cause a denial of service (crash) via stack exhaustion, using crafted JSON data.

For the stable distribution (jessie), this problem has been fixed in version 2.7-1+deb8u1.

For the unstable distribution (sid), this problem has been fixed in version 2.7-5.

We recommend that you upgrade your jansson packages.