Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop YAML v2 support #1399

Closed
1 task done
sagikazarmark opened this issue Jul 10, 2022 · 2 comments · Fixed by #1493
Closed
1 task done

Drop YAML v2 support #1399

sagikazarmark opened this issue Jul 10, 2022 · 2 comments · Fixed by #1493
Labels
kind/enhancement New feature or request release-note/breaking-change Release note: Breaking Changes
Milestone
2023 Q1

Comments

@sagikazarmark
Copy link
Collaborator

Preflight Checklist

  • I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

YAML v2 has not been updated for a long time and it contains vulnerabilities (eg. CVE-2022-28948)

Proposed Solution

Since YAML v3 became the default, we should consider dropping YAML v2.

Alternatives Considered

YAML v2 could be moved to an external library.

Additional Information

YAML v3 is not fully backward compatible with v2, so we should wait couple months for feedback to make sure it's working as expected.
@sagikazarmark sagikazarmark added the kind/enhancement New feature or request label Jul 10, 2022
Repository owner deleted a comment from github-actions bot Jul 10, 2022
@sagikazarmark sagikazarmark added the release-note/breaking-change Release note: Breaking Changes label Jul 10, 2022
@sagikazarmark sagikazarmark added this to the 2022 Q4 milestone Jul 10, 2022
@sagikazarmark sagikazarmark mentioned this issue Jul 10, 2022
Closed
@wzalazar
Copy link

wzalazar commented Aug 26, 2022
edited
Loading

Hi @sagikazarmark seems we need to update the YAML v2 at least to the v2.2.8 due to this vulnerability reported by dependabot CVE-2019-11254

https://github.com/spf13/viper/blob/master/go.sum#L898-L902

Issue description:

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Is there any possibility to do that?

Thanks in advance ;)

@sagikazarmark
Copy link
Collaborator Author

@wzalazar YAML v2 will be upgraded to 2.4 in the next version.

@sagikazarmark sagikazarmark modified the milestones: 2022 Q4, 2023 Q1 Nov 6, 2022
@sagikazarmark sagikazarmark mentioned this issue Jan 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request release-note/breaking-change Release note: Breaking Changes
Projects
None yet
Milestone
2023 Q1
Development

Successfully merging a pull request may close this issue.

Drop YAML v2 and TOML v1 spf13/viper
2 participants
@sagikazarmark @wzalazar