[Buildroot] [git commit] package/python-pyyaml: security bump to version 5.4.1
Peter Korsgaard
peter at korsgaard.com
Sun Mar 14 20:21:48 UTC 2021
>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
> commit:
> https://git.buildroot.net/buildroot/commit/?id=de43a9775d4646035b18eb5737e5fa4cd2eeedea
> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
> Fix CVE-2020-14343: A vulnerability was discovered in the PyYAML library
> in versions before 5.4, where it is susceptible to arbitrary code
> execution when it processes untrusted YAML files through the full_load
> method or with the FullLoader loader. Applications that use the library
> to process untrusted input may be vulnerable to this flaw. This flaw
> allows an attacker to execute arbitrary code on the system by abusing
> the python/object/new constructor. This flaw is due to an incomplete fix
> for CVE-2020-1747.
> Update hash of LICENSE file (update in year:
> https://github.com/yaml/pyyaml/commit/58d0cb7ee09954c67fabfbd714c5673b03e7a9e1)
> https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> Signed-off-by: Yann E. MORIN <yann.morin.1998 at free.fr>
Committed to 2020.02.x and 2020.11.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list