Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update pyyaml to >=5.1 #2064

Merged
merged 2 commits into from
May 30, 2019
Merged

update pyyaml to >=5.1 #2064

merged 2 commits into from
May 30, 2019

Conversation

redshiftzero
Copy link
Contributor

Closes #1806

CVE-2017-18342 flags the previously unsafe default yaml load function in pyyaml. Since version 1.0.6 of this project, it looks like the safe loader (yaml.safe_load) was already used everywhere. This PR just updates to a version of pyyaml that does not have the CVE associated with it.

@redshiftzero
update pyyaml to >=5.1: mitigates CVE-2017-18342
0675c40 
Signed-off-by: redshiftzero <jen@freedom.press>
decentral1se
decentral1se suggested changes May 25, 2019
View reviewed changes
Copy link
Contributor

@decentral1se decentral1se left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, thanks!

setup.cfg Outdated
@@ -80,7 +80,7 @@ install_requires =
Jinja2 >= 2.10.1
pexpect >= 4.6.0, < 5
psutil == 5.4.6; sys_platform!="win32" and sys_platform!="cygwin"
PyYAML == 3.13
PyYAML >= 5.1
Copy link
Contributor

@decentral1se decentral1se May 25, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also get a < 6 ?

Assuming semantic versioning ... but we should make sure 👍

Copy link
Contributor

@decentral1se decentral1se May 28, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see https://github.com/yaml/pyyaml/blob/master/CHANGES#L7.

decentral1se
decentral1se reviewed May 25, 2019
View reviewed changes
Copy link
Contributor

@decentral1se decentral1se left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, can we also get a changelog entry for this?

@decentral1se decentral1se mentioned this pull request May 28, 2019
Closed
@ssbarnea ssbarnea self-requested a review May 28, 2019 11:34
decentral1se
decentral1se suggested changes May 28, 2019
View reviewed changes
Copy link
Contributor

@decentral1se decentral1se left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Marking for #2064 (comment) and #2064 (review).

@redshiftzero redshiftzero mentioned this pull request May 29, 2019
Closed
@ssbarnea ssbarnea merged commit b31d734 into ansible:master May 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ssbarnea ssbarnea ssbarnea approved these changes

@decentral1se decentral1se decentral1se approved these changes

@webknjaz webknjaz Awaiting requested review from webknjaz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PyYAML update CVE-2017-18342
3 participants
@redshiftzero @ssbarnea @decentral1se