Actions
Backport #8540
closed
pulpcore 3.7 branch needs PyYAML dep raised to include 5.4.x to fix CVE-2020-14343 (backport 205c903bb22)
Start date:
Due date:
% Done:
100%
Estimated time:
Triaged:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 94
Quarter:
Q2-2021
Description
Backport request for 205c903bb2232d7f6fb8291c2f6ab0ba74442f9e into 3.7 branch, maybe others.
CVE-2020-14343 (Improper Input Validation in PyYAML)
- https://github.com/advisories/GHSA-8q59-q68h-6hv4
- https://nvd.nist.gov/vuln/detail/CVE-2020-14343
- https://github.com/yaml/pyyaml/issues/420#issuecomment-663673966
pulpcore 3.7 branch (and latest release 3.7.4) have PyYaml dep:
PyYAML>=5.1.1,<5.4.0
which prevents updating to PyYaml 5.4.1
Related issues
Updated by ggainey over 3 years ago
- Related to Issue #8539: pulpcore 3.7 branch needs PyYAML dep raised to include 5.4.x to fix CVE-2020-14343 added
Updated by ttereshc over 3 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to ttereshc
- Sprint set to Sprint 94
- Quarter set to Q2-2021
Updated by pulpbot over 3 years ago
- Status changed from ASSIGNED to POST
Added by ttereshc over 3 years ago
Updated by ttereshc over 3 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulpcore|d0e87121a49a6102a1c6985a48bc308a6cda4c72.
Actions
.
Allow to use PyYAML 5.4 which addresses CVE-2020-14343
https://github.com/advisories/GHSA-8q59-q68h-6hv4 https://nvd.nist.gov/vuln/detail/CVE-2020-14343
closes #8540 https://pulp.plan.io/issues/8540