Update to SnakeYAML 1.26 to address CVE-2017-18640

[joschi]

SnakeYAML < 1.26 is vulnerable to a Billion Laughs attack (denial of service).

The issue has been tracked in asomov/snakeyaml#377 and been published in CVE-2017-18640.

References:

• https://cwe.mitre.org/data/definitions/776.html
• https://nvd.nist.gov/vuln/detail/CVE-2017-18640
• https://bitbucket.org/asomov/snakeyaml/issues/377
• update snakeyaml to 1.26+ to address security vulnerability CVE-2017-18640 dropwizard/dropwizard#3223

[cowtowncoder]

Updated for 2.10(.4); backported in 2.9 branch but uncertain whether there will be any releases (if so, 2.9.10.1 or 2.9.11)

[joschi]

@cowtowncoder Thanks for your swift reaction!

[cowtowncoder]

No prob, thank you for bringing this CVE to our attention.

[nandakishorkn]

Even after this commit, I still see SnakeYAML 1.23 is getting pulled via DropWizard 1.3.22.

From dropwizard-bom-1.3.22.pom, I see it is correctly pointing to SnakeYAML 1.26 but SnakeYAML 1.23 is getting pulled via DropWizard 1.3.22
https://repo1.maven.org/maven2/io/dropwizard/dropwizard-bom/1.3.22/dropwizard-bom-1.3.22.pom