-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-18342 status #207
Comments
I haven't read the code, but it seems like 3.13 does not fix the CVE. The CVE was regarding the default-unsafe load method, and the change that fixed it (PR #74) was only merged in 4.1 onward, and has since been reverted from the main branch that 4.2 will be cut from. Issue #193 has the most clarity on the release plan, but it's unclear what the timeline for having #74 (that is, a fix for the CVE) re-merged is. It might be a while before there's a fix for the CVE. Thanks again for the work you do with PyUp @Jwomers — I would say this is a tricky situation for a safety database. The CVE is not a new thing, it merely got unsafe defaults that have been present since 2006 flagged. Users of PyYAML need to know that they're using a potentially dangerous package, but at the same time, this isn't shocking to anyone who has some familiarity with PyYAML and its sharp edges. |
@Kobold's assessment is spot on. 3.13 only addresses PyYAML working with Python 3.7. The next release (almost certainly versioned as 4.2) has high hopes of including a fix for this issue. |
Hi, thanks for the pyyaml project. It has been very helpful! |
Works around build failures caused by yaml/pyyaml#207 until a safe, stable release lands.
Works around build failures caused by yaml/pyyaml#207 until a safe, stable release lands. Signed-off-by: Brendan Devenney <brendan@devenney.io>
Works around build failures caused by yaml/pyyaml#207 until a safe, stable release lands. Signed-off-by: Brendan Devenney <brendan@devenney.io>
The summary from my analysis on our downstream bug https://phabricator.wikimedia.org/T214560#4905113
That has been included in There is a safey-api branch which might be related with commit 3dc3f5f . And I guess reimplement the feature in a different way. The only release that has this change is My conclusion is the CVE complains that I think the CVE can be dismissed, but at least it raises awareness that code relying on pyyaml should be audited for usage of To make it nicer to users that do not pay attention to the possible code execution when using |
Also from Debian https://security-tracker.debian.org/tracker/CVE-2017-18342
|
GitHubで CVE-2017-18342 のアラートが出ていた。 対応策として以下のissueがあった。 - yaml/pyyaml#193 (comment) - yaml/pyyaml#207 (comment) そのため、yaml.safe_load()へと差し替えた
This issue is being addressed in the upcoming 5.1 release. 5.1b1 is out, and 5.1b3 went out tonight. The PR that resolves this issue is #257 |
I'm not sure if issueing a "warning" is enough to solve this issue immediately. While it's of course the correct step, this is only half of the way to fix the issue eventually. |
Did you take a look at #257? From there:
|
My bad, I must have missed that |
Using the beta version may include the security fix, but it causes installation issues. Using safe_yaml is safe across versions according to yaml/pyyaml#207.
Using the beta version may include the security fix, but it causes installation issues. Using safe_load is safe across versions according to yaml/pyyaml#207.
Using the beta version may include the security fix, but it causes installation issues. Using safe_load is safe across versions according to yaml/pyyaml#207.
Using the beta version may include the security fix, but it causes installation issues. Using safe_load is safe across versions according to yaml/pyyaml#207.
PyYAML 5.1 has been released. https://pypi.org/project/PyYAML/5.1/ This release resolves CVE-2017-18342. For latest details, see: https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation |
Hi, I am maintaining the safety database at PyUp, and I want to get clarity on which version of PyYAML fixes CVE-2017-18342? I know 4.1 was released and then retracted from PyPi.
Does 3.13 fix CVE-2017-18342?
Thanks
The text was updated successfully, but these errors were encountered: