Please release fix for CVE-2022-28948

[giancorderoortiz]

Good morning,

It appears https://pkg.go.dev/sigs.k8s.io/yaml@v1.3.0 does not contain a fix for CVE-2022-28948.
According to go-yaml/yaml#666, a fix has been generated for CVE-2022-28948.

Is it possible then to please release a patch that fixes this CVE within the upcoming weeks?

[cprivitere]

I believe it was determined this was a yaml v3 issue, which currently is not what sigs/yaml is based on (it's still v2).

#78

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[liggitt]

this is an issue only with go-yaml/yaml v3 (go-yaml/yaml#666 (comment))

this repo still uses v2 and is not affected by this issue

/close

[k8s-ci-robot]

@liggitt: Closing this issue.

In response to this:

this is an issue only with go-yaml/yaml v3 (go-yaml/yaml#666 (comment))

this repo still uses v2 and is not affected by this issue

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.