search

RedHatInsights / insights-core

Insights Core is a data collection and processing framework used by Red Hat Insights
https://cloud.redhat.com/insights
Apache License 2.0
149 stars 175 forks source link

Critical security issue in dependency pyyaml #2013

Closed Josca closed 5 years ago

Josca commented 5 years ago

There is a security issue CVE-2017-18342 because of use pyyaml < 4.1.

Please upgrade it. You can make a condition in setup.py to use old version only if necessary (python < 2.7).

bfahr commented 5 years ago

@Josca all of the yaml.load calls have been converted to yaml.safe_load calls in core to mitigate this CVE.

Josca commented 5 years ago

@bfahr yes, but it's still better to upgrade pyyaml. Now all projects using insights-core are locked to this old pyyaml version not to have conflicts in dependency versions. For instance it's case of our vulnerability-engine project. You can simply resolve it merging my PR #2012.

bfahr commented 5 years ago

Fixed by #2012