Update pyyaml when 4.2 release is available due to CVE-2017-18342 #52

redshiftzero · 2019-01-11T23:44:56Z

Description

We got a GitHub security alert regarding a CVE in pyyaml: CVE-2017-18342. The fix, merged in the pyyaml repo, renames safe_load to load and load to danger_load. pyyaml is brought in as a development only dependency for this project.

We shouldn't update to latest yet due to the fact that the only 4.2* versions available on PyPI are marked as pre-release - see yaml/pyyaml#193 for the full details.

tl;dr We should wait until pyyaml 4.2 is officially released and then update.

The text was updated successfully, but these errors were encountered:

Fixes #52.

redshiftzero assigned rmol Mar 28, 2019

rmol mentioned this issue Apr 1, 2019

Update PyYAML dependency freedomofpress/securedrop-client#292

Closed

rmol added a commit that referenced this issue Apr 12, 2019

0.0.7: Update PyYAML to 5.1 or better

e10c39d

Fixes #52.

rmol mentioned this issue Apr 12, 2019

0.0.7: Update PyYAML to 5.1 or better #72

Merged

rmol added a commit that referenced this issue Apr 12, 2019

Update PyYAML to 5.1.

219d72e

Fixes #52.

rmol closed this as completed in #72 Apr 15, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update pyyaml when 4.2 release is available due to CVE-2017-18342 #52

Update pyyaml when 4.2 release is available due to CVE-2017-18342 #52

redshiftzero commented Jan 11, 2019

Update pyyaml when 4.2 release is available due to CVE-2017-18342 #52

Update pyyaml when 4.2 release is available due to CVE-2017-18342 #52

Comments

redshiftzero commented Jan 11, 2019

Description