The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Created snakeyaml tracking bugs for this issue:
Affects: fedora-all [bug 1785377]
What needs to be done here? Is there a specific patch that needs to be applied?
Upstream's position  seems to be that you need to be careful about what inputs you give to snakeyaml. From a snakeyaml packager POV, there's not much we can do if snakeyaml upstream won't fix it and we don't control how packages use snakeyaml downstream or upstream. Would rebasing F30 to 1.25 (like F31 and Rawhide are currently only) suffice, or is there something else required from us? Does 1.25 solve the issue? It isn't immediately clear.
Otherwise I'm inclined to close the Fedora tracker with WONTFIX and point to the upstream wiki.
Since upstream will not fix this issue, I assume that's OK to close this as WONTFIX.
You can wait the analysis from our side for more information.
According the upstream bug entry, they are not considering this a security vulnerability and are not inclined to fix this issue. Given this scenario this bugwill be closed as WONTFIX.
The snakeyaml's upstream is not considering this a security vulnerability. Their justification is explained on the link contained on 'External References' field.
upstream have now merged a patch to fix this.
snakeyaml v1.26 contains the fix
This issue has been addressed in the following products:
Red Hat build of Quarkus 1.3.4
Via RHSA-2020:2603 https://access.redhat.com/errata/RHSA-2020:2603