Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade scenarioplayer's pyyaml dependency #3231

Merged

Conversation

LefterisJP
Copy link
Contributor

Pyyaml had an arbitrary code execution vulnerability in previous
versions.

Check https://nvd.nist.gov/vuln/detail/CVE-2017-18342

@ulope please take a look

@pirapira
Copy link
Contributor

pirapira commented Jan 7, 2019

(I tried to look up why the fix is not in the stable release. I found a hot discussion yaml/pyyaml#194 .)

@LefterisJP
Copy link
Contributor Author

@pirapira it's not our problem -- pyyaml is only used by scenario player so there is no real security issue for us at all. It's just to silence the github citical vulnerability emails.

@ulope
Copy link
Collaborator

ulope commented Jan 8, 2019

There's already 4.2b4 released by now. IMO we should just wait a few more days until they have the final 4.2 out. No sense updating to a possibly unstable beta release.

@LefterisJP
Copy link
Contributor Author

LefterisJP commented Jan 8, 2019

@ulope Is it a few more days? IF so sure I can keep the PR open and update when released.. Can you give me a link to the upcoming stable release plan? But judging by their release history of "stable" releases: https://pypi.org/project/PyYAML/#history

There is a 2 year difference between each of the last 3 stable patch releases. I am not going to have the github critical vulnerability emails for another 1.5 years ^_^

@ulope
Copy link
Collaborator

ulope commented Jan 8, 2019

Right, I didn't realize the 4.2b4 is already that old.
But we can simply dismiss that security report since we're not actually vulnerable:

Pyyaml had an arbitrary code execution vulnerability in previous
versions.

Check https://nvd.nist.gov/vuln/detail/CVE-2017-18342
@ulope ulope force-pushed the upgrade_pyyaml_for_scenarioplayer branch from 2c9fcd0 to 9b3eb6f Compare January 9, 2019 15:24
Copy link
Collaborator

@ulope ulope left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works fine with the scenario player.

I've updated the version to 4.2.b4

@ulope ulope merged commit 12dba59 into raiden-network:master Jan 9, 2019
@LefterisJP LefterisJP deleted the upgrade_pyyaml_for_scenarioplayer branch January 9, 2019 21:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants