Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

PyYAML update CVE-2017-18342

See original GitHub issue

Issue Type

  • Bug report

summary

Currently we have https://github.com/ansible/molecule/blob/9d1dec85ed2f995e2ebd24e234fd8fe4334ecb62/requirements.txt#L15

CVE-2017-18342 defines

Vulnerable versions: < 4.2b1 Patched version: 4.2b1 In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.

Do we need to update?

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:2
  • Comments:17 (15 by maintainers)

github_iconTop GitHub Comments

2reactions
triplepointcommented, Mar 24, 2019

In any case it’d be nice to bump molecule’s dependency to the 5.1 release of pyyaml, or at least test on 5.1 and loosen up the version pinning. Every project I have that imports molecule has Github emailing me about “critical” security vulnerabilities.

2reactions
seandstcommented, Mar 14, 2019

Woops. ansible itself still depends on pyyaml, so this change would likely need to affect the entire stack.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Vulnerability Details : CVE-2017-18342
CVE-2017-18342 : In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used ... Publish Date : 2018-06-27 Last Update Date...
Read more >
Arbitrary Code Execution in pyyaml | CVE-2017-18342 | Snyk
Upgrade PyYAML to version 4.2b1 or higher. Overview. Affected versions of this package are vulnerable to Arbitrary Code Execution due to using ...
Read more >
CVE-2017-18342 PyYAML: yaml.load() API could execute ...
A future update may address this issue. The PyYAML libary that is provided in the Red Hat OpenStack repositories is vulnerable. However, there...
Read more >
CVE-2017-18342 Detail - NVD
CVE-2017-18342 Detail. Current Description. In PyYAML before 5.1, ... https://github.com/yaml/pyyaml/pull/74, Patch Third Party Advisory.
Read more >
659348 – (CVE-2017-18342) <dev-python/pyyaml-5.1: using ...
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted ... pyyaml/files/pyyaml-5.1-cve-2017-18342.patch | 40 ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

REGRESSION 2.19 -> 2.20 Docker image fails with "Failed to import docker or docker-py - No module named docker"

Next page

Molecule need to log the same way ansible does