Address or document PyYAML v3 CVE for unsafe yaml.load() #168

garyd203 · 2019-03-11T10:17:24Z

PyYAML v3 has a high-severity security warning where yaml.load is unsafe. There has been an extensive discussion (summarised in their issue 207 ), but no resolution yet. It is expected that v5 will solve this, with a final release expected some time in march 2019.

In the mean time, we could document that this doesn't affect us (because we only dump YAML). Or just wait for a new version.

The text was updated successfully, but these errors were encountered:

garyd203 changed the title ~~Address or document PyYAML v3 CVE for unsafe yaml.load~~ Address or document PyYAML v3 CVE for unsafe yaml.load() Mar 11, 2019

garyd203 added bug security labels Mar 11, 2019

garyd203 added a commit that referenced this issue Mar 11, 2019

#168: Bump PyYAML to latest version, note CVE.

7724dce

garyd203 added a commit that referenced this issue Mar 11, 2019

#168: Bump PyYAML to latest version, note CVE.

158541b

garyd203 added a commit that referenced this issue Jul 15, 2019

#168: Bump PyYAML to v5.1 and remove CVE altogether

97360bf

garyd203 mentioned this issue Jul 15, 2019

Bump PyYAML to v5.1 and remove CVE altogether #195

Merged

garyd203 closed this as completed in #195 Jul 15, 2019

garyd203 added a commit that referenced this issue Jul 15, 2019

#168: Bump PyYAML to v5.1 and remove CVE altogether

21f1ade

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Address or document PyYAML v3 CVE for unsafe yaml.load() #168

Address or document PyYAML v3 CVE for unsafe yaml.load() #168

garyd203 commented Mar 11, 2019

Address or document PyYAML v3 CVE for unsafe yaml.load() #168

Address or document PyYAML v3 CVE for unsafe yaml.load() #168

Comments

garyd203 commented Mar 11, 2019