Update PyYAML from version 3.12 to version >= 4.1 #5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update PyYAML to 4.1
Merge this pull request to resolve 2 vulnerabilities in version 3.12 of PyYAML.
CRITICAL - CVE-2017-18342: PyYAML: yaml.load() API could execute arbitrary code
Description
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
References
https://access.redhat.com/security/cve/CVE-2017-18342
Use 'yaml.safe_load' in 'load_yaml_from_docstring' marshmallow-code/apispec#278
https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2018-49.yaml
https://github.com/yaml/pyyaml
https://github.com/yaml/pyyaml/blob/master/CHANGES
yaml/pyyaml@7b68405
PyYAML 4.2 Release Plan yaml/pyyaml#193
Make pyyaml safe by default. yaml/pyyaml#74
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
https://linux.oracle.com/cve/CVE-2017-18342.html
https://linux.oracle.com/errata/ELSA-2022-9341.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
https://lists.fedoraproject.org/archives/list/[email protected]/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ
https://lists.fedoraproject.org/archives/list/[email protected]/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE
https://lists.fedoraproject.org/archives/list/[email protected]/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA
https://nvd.nist.gov/vuln/detail/CVE-2017-18342
https://security.gentoo.org/glsa/202003-45
https://www.cve.org/CVERecord?id=CVE-2017-18342
Publish date
2018-06-27
CRITICAL - CVE-2020-14343: PyYAML: incomplete fix for CVE-2020-1747
Description
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
References
https://access.redhat.com/security/cve/CVE-2020-14343
https://bugzilla.redhat.com/show_bug.cgi?id=1860466
https://errata.almalinux.org/8/ALSA-2021-2583.html
Resolve CVE for PyYAML - CVE-2020-14343 SeldonIO/seldon-core#2252
GHSA-8q59-q68h-6hv4
https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2021-142.yaml
https://github.com/yaml/pyyaml
yaml/pyyaml@a001f27
.load() and FullLoader still vulnerable to fairly trivial RCE yaml/pyyaml#420
.load() and FullLoader still vulnerable to fairly trivial RCE yaml/pyyaml#420 (comment)
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
https://linux.oracle.com/cve/CVE-2020-14343.html
https://linux.oracle.com/errata/ELSA-2021-2583.html
https://nvd.nist.gov/vuln/detail/CVE-2020-14343
https://pypi.org/project/PyYAML
https://ubuntu.com/security/notices/USN-4940-1
https://www.cve.org/CVERecord?id=CVE-2020-14343
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
Publish date
2021-02-09