Debian Security Advisory
DSA-3577-1 jansson -- security update
- Date Reported:
- 14 May 2016
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 823238.
In Mitre's CVE dictionary: CVE-2016-4425.
- More information:
Gustavo Grieco discovered that jansson, a C library for encoding, decoding and manipulating JSON data, did not limit the recursion depth when parsing JSON arrays and objects. This could allow remote attackers to cause a denial of service (crash) via stack exhaustion, using crafted JSON data.
For the stable distribution (jessie), this problem has been fixed in version 2.7-1+deb8u1.
For the unstable distribution (sid), this problem has been fixed in version 2.7-5.
We recommend that you upgrade your jansson packages.