From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 2/2] package/python-pyyaml: security bump to version 5.4.1
Date: Tue, 2 Mar 2021 21:49:41 +0100 [thread overview]
Message-ID: <20210302204941.GG2275@scaer> (raw)
In-Reply-To: <20210302172523.373997-2-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2021-03-02 18:25 +0100, Fabrice Fontaine spake thusly:
> Fix CVE-2020-14343: A vulnerability was discovered in the PyYAML library
> in versions before 5.4, where it is susceptible to arbitrary code
> execution when it processes untrusted YAML files through the full_load
> method or with the FullLoader loader. Applications that use the library
> to process untrusted input may be vulnerable to this flaw. This flaw
> allows an attacker to execute arbitrary code on the system by abusing
> the python/object/new constructor. This flaw is due to an incomplete fix
> for CVE-2020-1747.
>
> Update hash of LICENSE file (update in year:
> https://github.com/yaml/pyyaml/commit/58d0cb7ee09954c67fabfbd714c5673b03e7a9e1)
>
> https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/python-pyyaml/python-pyyaml.hash | 6 +++---
> package/python-pyyaml/python-pyyaml.mk | 4 ++--
> package/python3-pyyaml/python3-pyyaml.mk | 4 ++--
> 3 files changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/package/python-pyyaml/python-pyyaml.hash b/package/python-pyyaml/python-pyyaml.hash
> index 90e1f2199e..82b2f4f880 100644
> --- a/package/python-pyyaml/python-pyyaml.hash
> +++ b/package/python-pyyaml/python-pyyaml.hash
> @@ -1,5 +1,5 @@
> # md5, sha256 from https://pypi.org/pypi/PyYAML/json
> -md5 d3590b85917362e837298e733321962b PyYAML-5.3.1.tar.gz
> -sha256 b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d PyYAML-5.3.1.tar.gz
> +md5 46e25294c7efec23d4072ed6a7777f46 PyYAML-5.4.1.tar.gz
> +sha256 607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e PyYAML-5.4.1.tar.gz
> # Locally computed sha256 checksums
> -sha256 c40112449f254b9753045925248313e9270efa36d226b22d82d4cc6c43c57f29 LICENSE
> +sha256 8d3928f9dc4490fd635707cb88eb26bd764102a7282954307d3e5167a577e8a4 LICENSE
> diff --git a/package/python-pyyaml/python-pyyaml.mk b/package/python-pyyaml/python-pyyaml.mk
> index c2d0435275..87c0fe4e81 100644
> --- a/package/python-pyyaml/python-pyyaml.mk
> +++ b/package/python-pyyaml/python-pyyaml.mk
> @@ -5,9 +5,9 @@
> ################################################################################
>
> # Please keep in sync package/python3-pyyaml/python3-pyyaml.mk
> -PYTHON_PYYAML_VERSION = 5.3.1
> +PYTHON_PYYAML_VERSION = 5.4.1
> PYTHON_PYYAML_SOURCE = PyYAML-$(PYTHON_PYYAML_VERSION).tar.gz
> -PYTHON_PYYAML_SITE = https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c
> +PYTHON_PYYAML_SITE = https://files.pythonhosted.org/packages/a0/a4/d63f2d7597e1a4b55aa3b4d6c5b029991d3b824b5bd331af8d4ab1ed687d
> PYTHON_PYYAML_SETUP_TYPE = distutils
> PYTHON_PYYAML_LICENSE = MIT
> PYTHON_PYYAML_LICENSE_FILES = LICENSE
> diff --git a/package/python3-pyyaml/python3-pyyaml.mk b/package/python3-pyyaml/python3-pyyaml.mk
> index 1b467645aa..079408e63f 100644
> --- a/package/python3-pyyaml/python3-pyyaml.mk
> +++ b/package/python3-pyyaml/python3-pyyaml.mk
> @@ -5,9 +5,9 @@
> ################################################################################
>
> # Please keep in sync with package/python-pyyaml/python-pyyaml.mk
> -PYTHON3_PYYAML_VERSION = 5.3.1
> +PYTHON3_PYYAML_VERSION = 5.4.1
> PYTHON3_PYYAML_SOURCE = PyYAML-$(PYTHON3_PYYAML_VERSION).tar.gz
> -PYTHON3_PYYAML_SITE = https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c
> +PYTHON3_PYYAML_SITE = https://files.pythonhosted.org/packages/a0/a4/d63f2d7597e1a4b55aa3b4d6c5b029991d3b824b5bd331af8d4ab1ed687d
> PYTHON3_PYYAML_SETUP_TYPE = distutils
> PYTHON3_PYYAML_LICENSE = MIT
> PYTHON3_PYYAML_LICENSE_FILES = LICENSE
> --
> 2.30.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
prev parent reply other threads:[~2021-03-02 20:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-02 17:25 [Buildroot] [PATCH 1/2] package/python-pyyaml: add CPE variables Fabrice Fontaine
2021-03-02 17:25 ` [Buildroot] [PATCH 2/2] package/python-pyyaml: security bump to version 5.4.1 Fabrice Fontaine
2021-03-02 20:49 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210302204941.GG2275@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox