address CVE-2020-14343 in next release (if possible)

anchore / anchore-cli

Simple command-line client to the Anchore Engine service

Apache License 2.0

114 stars 54 forks source link

address CVE-2020-14343 in next release (if possible) #148

Closed bhearn7 closed 3 years ago

bhearn7 commented 3 years ago

Version: 0.9.0 CVE ID: CVE-2020-14343 Severity: High Package Name: pyyaml Package Version: 5.3.1 Fixed In: not fixed URLs: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14343

Additional Notes:

why did Twistlock pick this up and Anchore didn't?
RH states as "Not Affected" for RHEL 8
PyYaml 5.3.1 is the latest version

zhill commented 3 years ago

Closed by #156 for v0.9.1 release