Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade scenarioplayer's pyyaml dependency #3231

Merged
merged 1 commit into from Jan 9, 2019
Merged

Upgrade scenarioplayer's pyyaml dependency #3231

merged 1 commit into from Jan 9, 2019

Conversation

LefterisJP
Copy link
Contributor

Pyyaml had an arbitrary code execution vulnerability in previous
versions.

Check https://nvd.nist.gov/vuln/detail/CVE-2017-18342

@ulope please take a look

@pirapira
Copy link
Contributor

pirapira commented Jan 7, 2019

(I tried to look up why the fix is not in the stable release. I found a hot discussion yaml/pyyaml#194 .)

@LefterisJP
Copy link
Contributor Author

@pirapira it's not our problem -- pyyaml is only used by scenario player so there is no real security issue for us at all. It's just to silence the github citical vulnerability emails.

@ulope
Copy link
Collaborator

ulope commented Jan 8, 2019

There's already 4.2b4 released by now. IMO we should just wait a few more days until they have the final 4.2 out. No sense updating to a possibly unstable beta release.

@LefterisJP
Copy link
Contributor Author

LefterisJP commented Jan 8, 2019
edited

@ulope Is it a few more days? IF so sure I can keep the PR open and update when released.. Can you give me a link to the upcoming stable release plan? But judging by their release history of "stable" releases: https://pypi.org/project/PyYAML/#history

There is a 2 year difference between each of the last 3 stable patch releases. I am not going to have the github critical vulnerability emails for another 1.5 years ^_^

@ulope
Copy link
Collaborator

ulope commented Jan 8, 2019

Right, I didn't realize the 4.2b4 is already that old.
But we can simply dismiss that security report since we're not actually vulnerable:

@LefterisJP @ulope
Upgrade scenarioplayer's pyyaml dependency
9b3eb6f 
Pyyaml had an arbitrary code execution vulnerability in previous
versions.

Check https://nvd.nist.gov/vuln/detail/CVE-2017-18342
@ulope ulope force-pushed the upgrade_pyyaml_for_scenarioplayer branch from 2c9fcd0 to 9b3eb6f Compare January 9, 2019 15:24
ulope
ulope approved these changes Jan 9, 2019
View reviewed changes
Copy link
Collaborator

@ulope ulope left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works fine with the scenario player.

I've updated the version to 4.2.b4

@ulope ulope merged commit 12dba59 into raiden-network:master Jan 9, 2019
@LefterisJP LefterisJP deleted the upgrade_pyyaml_for_scenarioplayer branch January 9, 2019 21:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ulope ulope ulope approved these changes

@hackaugusto hackaugusto hackaugusto approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@LefterisJP @pirapira @ulope @hackaugusto