Closed Josca closed 5 years ago
@Josca all of the yaml.load
calls have been converted to yaml.safe_load
calls in core to mitigate this CVE.
@bfahr yes, but it's still better to upgrade pyyaml. Now all projects using insights-core are locked to this old pyyaml version not to have conflicts in dependency versions. For instance it's case of our vulnerability-engine project. You can simply resolve it merging my PR #2012.
Fixed by #2012
There is a security issue CVE-2017-18342 because of use pyyaml < 4.1.
Please upgrade it. You can make a condition in setup.py to use old version only if necessary (python < 2.7).