Actions
Issue #8539
closed
pulpcore 3.7 branch needs PyYAML dep raised to include 5.4.x to fix CVE-2020-14343
Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:
Description
CVE-2020-14343 (Improper Input Validation in PyYAML)
- https://github.com/advisories/GHSA-8q59-q68h-6hv4
- https://nvd.nist.gov/vuln/detail/CVE-2020-14343
- https://github.com/yaml/pyyaml/issues/420#issuecomment-663673966
pulpcore 3.7 branch (and latest release 3.7.4) have PyYaml dep:
PyYAML>=5.1.1,<5.4.0
which prevents updating to PyYaml 5.4.1
Related issues
Actions
.