Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-PyYAML.16008 for
openSUSE:Leap:15.2:Update checked in at 2021-04-04 20:05:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2:Update/python-PyYAML.16008 (Old)
and /work/SRC/openSUSE:Leap:15.2:Update/.python-PyYAML.16008.new.2401
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-PyYAML.16008"
Sun Apr 4 20:05:01 2021 rev:1 rq:882615 version:5.3.1
Changes:
--------
New Changes file:
--- /dev/null 2021-03-11 01:47:46.020784395 +0100
+++
/work/SRC/openSUSE:Leap:15.2:Update/.python-PyYAML.16008.new.2401/python-PyYAML.changes
2021-04-04 20:05:02.233655494 +0200
@@ -0,0 +1,145 @@
+-------------------------------------------------------------------
+Tue Jan 26 13:58:35 UTC 2021 - Tina M??ller <[email protected]>
+
+- Add pyyaml.CVE-2020-14343.patch (bsc#1174514 CVE-2020-14343)
+ Prevents arbitrary code execution during python/object/* constructors
+ This patch contains the upstream git commit a001f27 from the 5.4 release.
+
+-------------------------------------------------------------------
+Mon Dec 14 17:47:20 UTC 2020 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Update in SLE-15 (bsc#1176785, jsc#ECO-3105, jsc#PM-2352)
+
+-------------------------------------------------------------------
+Fri Apr 3 14:54:51 UTC 2020 - Tina M??ller <[email protected]>
+
+- Add patch pyyaml-5.1.2.patch (bsc#1165439 CVE-2020-1747)
+ Prevents arbitrary code execution during python/object/* constructors
+ (This patch contains the git commits 8c5e47f and 5080ba5 applied to the
5.1.2 release)
+
+-------------------------------------------------------------------
+Thu Mar 19 07:23:23 UTC 2020 - Ond??ej S??kup <[email protected]>
+
+- update to 5.3.1
+ * fixes boo#1165439 (cve-2020-1747) Prevents arbitrary code execution
+ during python/object/new constructor
+
+-------------------------------------------------------------------
+Tue Jan 7 09:55:39 UTC 2020 - Ond??ej S??kup <[email protected]>
+
+- update to 5.3
+ * Use `is` instead of equality for comparing with `None`
+ * fix typos and stylistic nit
+ * Fix up small typo
+ * Fix handling of __slots__
+ * Allow calling add_multi_constructor with None
+ * Add use of safe_load() function in README
+ * Fix reader for Unicode code points over 0xFFFF
+ * Enable certain unicode tests when maxunicode not > 0xffff
+ * Use full_load in yaml-highlight example
+ * Document that PyYAML is implemented with Cython
+ * Fix for Python 3.10
+ * increase size of index, line, and column fields
+ * remove some unused imports
+ * Create timezone-aware datetimes when parsed as such
+ * Add tests for timezone
+
+-------------------------------------------------------------------
+Tue Dec 3 11:31:41 UTC 2019 - Ond??ej S??kup <[email protected]>
+
+- update to 5.2
+ * A more flexible fix for custom tag constructors
+ * Change default loader for yaml.add_constructor
+ * Change default loader for add_implicit_resolver, add_path_resolver
+ * Move constructor for object/apply to UnsafeConstructor
+ * Fix logic for quoting special characters
+
+-------------------------------------------------------------------
+Wed Nov 13 11:43:22 UTC 2019 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Update in SLE-15 (bsc#1140565)
+
+-------------------------------------------------------------------
+Thu Aug 1 13:17:00 UTC 2019 - Marketa Calabkova <[email protected]>
+
+- update to 5.1.2
+ * Re-release of 5.1 with regenerated Cython sources to build properly for
Python 3.8b2+
+
+-------------------------------------------------------------------
+Fri Jun 7 12:04:35 UTC 2019 - Ond??ej S??kup <[email protected]>
+
+- update to 5.1.1
+ * Re-release of 5.1 with regenerated Cython sources to build properly for
Python 3.8
+
+-------------------------------------------------------------------
+Thu Mar 14 14:47:06 UTC 2019 - Tom???? Chv??tal <[email protected]>
+
+- Update to 5.1:
+ * many changes, see CHANGES
+ * bsc#1099308 CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary
code
+
+-------------------------------------------------------------------
+Mon Jan 14 16:06:38 CET 2019 - [email protected]
+
+- Use %license instead of %doc [bsc#1082318]
+
+-------------------------------------------------------------------
+Sun Jul 15 20:22:28 UTC 2018 - [email protected]
+
+- update to 3.13
+ * fix compactibility with python 3.7
+
+-------------------------------------------------------------------
+Fri Mar 3 11:42:12 UTC 2017 - [email protected]
+
+- Use pythonhosted.org for the reference link.
+- Provide python-yaml instead of python2-yaml again.
+
+-------------------------------------------------------------------
+Mon Feb 20 15:19:50 UTC 2017 - [email protected]
+
+- update for multipython build
+
+-------------------------------------------------------------------
+Sat Sep 3 19:26:05 UTC 2016 - [email protected]
+
+- Update to 3.12
+ - Adding an implicit resolver to a derived loader should not
+ affect the base loader (fixes issue #57).
+ - Uniform representation for OrderedDict? across different
+ versions of Python (fixes issue #61).
+ - Fixed comparison to None warning (closes issue #64).
+- fix Source URL
+
+-------------------------------------------------------------------
+Wed Jul 30 09:02:32 UTC 2014 - [email protected]
+
+- Update to 3.11
+ - Source and binary distributions are rebuilt against the latest
+ versions of Cython and LibYAML.
+
+-------------------------------------------------------------------
+Wed Feb 5 14:35:22 CET 2014 - [email protected]
+
+- increase file-descriptor-count for s390 to make tests happy
+
+-------------------------------------------------------------------
+Tue Mar 5 23:39:24 UTC 2013 - [email protected]
+
+- increase file-descriptor-count for ppc to make tests happy
+
+-------------------------------------------------------------------
+Thu Jan 10 19:06:25 UTC 2013 - [email protected]
+
+- Initial python3 support
+
+-------------------------------------------------------------------
+Wed Dec 19 16:01:56 UTC 2012 - [email protected]
+
+- Build against libyaml to get the faster module
+
+-------------------------------------------------------------------
+Tue Jan 31 13:15:21 UTC 2012 - [email protected]
+
+- Initial version
+
New:
----
PyYAML-5.3.1.tar.gz
python-PyYAML.changes
python-PyYAML.spec
pyyaml.CVE-2020-14343.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-PyYAML.spec ++++++
#
# spec file for package python-PyYAML
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define oldpython python
Name: python-PyYAML
Version: 5.3.1
Release: 0
Summary: YAML parser and emitter for Python
License: MIT
URL: https://github.com/yaml/pyyaml
Source:
https://files.pythonhosted.org/packages/source/P/PyYAML/PyYAML-%{version}.tar.gz
Patch0: pyyaml.CVE-2020-14343.patch
BuildRequires: %{python_module devel}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: libyaml-devel
BuildRequires: python-rpm-macros
%ifpython2
# python-yaml was last used in openSUSE 12.1.
Provides: %{oldpython}-yaml = %{version}
Obsoletes: %{oldpython}-yaml < %{version}
%endif
%description
YAML is a data serialization format designed for human readability
and interaction with scripting languages. PyYAML is a YAML parser
and emitter for Python.
PyYAML features a complete YAML 1.1 parser, Unicode support, pickle
support, capable extension API, and sensible error messages. PyYAML
supports standard YAML tags and provides Python-specific tags that
allow to represent an arbitrary Python object.
PyYAML is applicable for a broad range of tasks from complex
configuration files to object serialization and persistance.
%python_subpackages
%prep
%setup -q -n PyYAML-%{version}
%patch0 -p1
%build
export CFLAGS="%{optflags}"
%python_build
# Fix example permissions.
find examples/ -type f | xargs chmod a-x
%install
%python_install
%python_expand %fdupes %{buildroot}%{$python_sitearch}
%check
# Increase file-descriptor-count for ppc to make tests happy.
%ifarch ppc ppc64 s390 s390x
ulimit -Sn 2048
%endif
%python_exec setup.py test
%files %{python_files}
%license LICENSE
%doc CHANGES README examples/
%{python_sitearch}/yaml
%{python_sitearch}/_yaml.*so
%{python_sitearch}/PyYAML-%{version}-py%{python_version}.egg-info
%changelog
++++++ pyyaml.CVE-2020-14343.patch ++++++
commit a001f2782501ad2d24986959f0239a354675f9dc
Author: Ingy d??t Net <[email protected]>
Date: Sat Jan 9 10:53:23 2021 -0500
Fix for CVE-2020-14343
Per suggestion
https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344
move a few constructors from full_load to unsafe_load.
diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py
index 794681c..c42ee34 100644
--- a/lib/yaml/constructor.py
+++ b/lib/yaml/constructor.py
@@ -722,18 +722,6 @@ FullConstructor.add_multi_constructor(
u'tag:yaml.org,2002:python/name:',
FullConstructor.construct_python_name)
-FullConstructor.add_multi_constructor(
- u'tag:yaml.org,2002:python/module:',
- FullConstructor.construct_python_module)
-
-FullConstructor.add_multi_constructor(
- u'tag:yaml.org,2002:python/object:',
- FullConstructor.construct_python_object)
-
-FullConstructor.add_multi_constructor(
- u'tag:yaml.org,2002:python/object/new:',
- FullConstructor.construct_python_object_new)
-
class UnsafeConstructor(FullConstructor):
def find_python_module(self, name, mark):
@@ -750,6 +738,18 @@ class UnsafeConstructor(FullConstructor):
return super(UnsafeConstructor, self).set_python_instance_state(
instance, state, unsafe=True)
+UnsafeConstructor.add_multi_constructor(
+ u'tag:yaml.org,2002:python/module:',
+ UnsafeConstructor.construct_python_module)
+
+UnsafeConstructor.add_multi_constructor(
+ u'tag:yaml.org,2002:python/object:',
+ UnsafeConstructor.construct_python_object)
+
+UnsafeConstructor.add_multi_constructor(
+ u'tag:yaml.org,2002:python/object/new:',
+ UnsafeConstructor.construct_python_object_new)
+
UnsafeConstructor.add_multi_constructor(
u'tag:yaml.org,2002:python/object/apply:',
UnsafeConstructor.construct_python_object_apply)
diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py
index 1948b12..619acd3 100644
--- a/lib3/yaml/constructor.py
+++ b/lib3/yaml/constructor.py
@@ -710,18 +710,6 @@ FullConstructor.add_multi_constructor(
'tag:yaml.org,2002:python/name:',
FullConstructor.construct_python_name)
-FullConstructor.add_multi_constructor(
- 'tag:yaml.org,2002:python/module:',
- FullConstructor.construct_python_module)
-
-FullConstructor.add_multi_constructor(
- 'tag:yaml.org,2002:python/object:',
- FullConstructor.construct_python_object)
-
-FullConstructor.add_multi_constructor(
- 'tag:yaml.org,2002:python/object/new:',
- FullConstructor.construct_python_object_new)
-
class UnsafeConstructor(FullConstructor):
def find_python_module(self, name, mark):
@@ -738,6 +726,18 @@ class UnsafeConstructor(FullConstructor):
return super(UnsafeConstructor, self).set_python_instance_state(
instance, state, unsafe=True)
+UnsafeConstructor.add_multi_constructor(
+ 'tag:yaml.org,2002:python/module:',
+ UnsafeConstructor.construct_python_module)
+
+UnsafeConstructor.add_multi_constructor(
+ 'tag:yaml.org,2002:python/object:',
+ UnsafeConstructor.construct_python_object)
+
+UnsafeConstructor.add_multi_constructor(
+ 'tag:yaml.org,2002:python/object/new:',
+ UnsafeConstructor.construct_python_object_new)
+
UnsafeConstructor.add_multi_constructor(
'tag:yaml.org,2002:python/object/apply:',
UnsafeConstructor.construct_python_object_apply)
diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py
index 312204e..04c5798 100644
--- a/tests/lib/test_recursive.py
+++ b/tests/lib/test_recursive.py
@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False):
output2 = None
try:
output1 = yaml.dump(value1)
- value2 = yaml.load(output1, yaml.FullLoader)
+ value2 = yaml.load(output1, yaml.UnsafeLoader)
output2 = yaml.dump(value2)
assert output1 == output2, (output1, output2)
finally:
diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py
index 74c2ee6..08042c8 100644
--- a/tests/lib3/test_recursive.py
+++ b/tests/lib3/test_recursive.py
@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False):
output2 = None
try:
output1 = yaml.dump(value1)
- value2 = yaml.full_load(output1)
+ value2 = yaml.unsafe_load(output1)
output2 = yaml.dump(value2)
assert output1 == output2, (output1, output2)
finally:
