Your message dated Tue, 30 Dec 2014 21:17:20 +0000
with message-id <[email protected]>
and subject line Bug#772815: fixed in pyyaml 3.10-4+deb7u1
has caused the Debian Bug report #772815,
regarding pyyaml: CVE-2014-9130
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
772815: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772815
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: pyyaml
Severity: grave
Tags: security
Hi,
CVE-2014-9130 from libyaml also affects pyyaml. I'm attaching a short
reproducer.
Cheers,
Moritz
import yaml
import codecs
with codecs.open('CVE-2014-9130.yaml', 'r') as stream:
foo = yaml.load(stream)
for key, value in foo.items():
setattr(self, key, value)
abc:
def: 'xxx
' ghi: 'yyy'
--- End Message ---
--- Begin Message ---
Source: pyyaml
Source-Version: 3.10-4+deb7u1
We believe that the bug you reported is fixed in the latest version of
pyyaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <[email protected]> (supplier of updated pyyaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 28 Dec 2014 23:35:53 +0100
Source: pyyaml
Binary: python-yaml python-yaml-dbg python3-yaml python3-yaml-dbg
Architecture: source amd64
Version: 3.10-4+deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: Moritz Muehlenhoff <[email protected]>
Description:
python-yaml - YAML parser and emitter for Python
python-yaml-dbg - YAML parser and emitter for Python (debug build)
python3-yaml - YAML parser and emitter for Python3
python3-yaml-dbg - YAML parser and emitter for Python3 (debug build)
Closes: 772815
Changes:
pyyaml (3.10-4+deb7u1) wheezy-security; urgency=medium
.
* CVE-2014-9130, patch by Thorsten Alteholz (Closes: #772815)
Checksums-Sha1:
d66b30c9e327438aacfa4785a28a3ff65a991f07 2193 pyyaml_3.10-4+deb7u1.dsc
476dcfbcc6f4ebf3c06186229e8e2bd7d7b20e73 241524 pyyaml_3.10.orig.tar.gz
60b7c5e6920684c273bd1c489469c67176cd08ee 6535 pyyaml_3.10-4+deb7u1.diff.gz
aa88f35bb1c5e09814f56265cd73a006d97605d8 176034
python-yaml_3.10-4+deb7u1_amd64.deb
12ff228a192c1687fd8afcd4c4f2605e21cd57ae 168636
python-yaml-dbg_3.10-4+deb7u1_amd64.deb
e5975a56983da44d57409d490f6858e153cd40f5 105238
python3-yaml_3.10-4+deb7u1_amd64.deb
5d5fcc15ea2f9a8a9982c004286691009520bfa7 84276
python3-yaml-dbg_3.10-4+deb7u1_amd64.deb
Checksums-Sha256:
9190dc62f7a85a9d6761795ddc2efbc35b5a28413966468dc00899e5af5938da 2193
pyyaml_3.10-4+deb7u1.dsc
e713da45c96ca53a3a8b48140d4120374db622df16ab71759c9ceb5b8d46fe7c 241524
pyyaml_3.10.orig.tar.gz
62bf97dc495ca6a9c251a12271f9dc472f39b5739fcb1c4bb73caf1687fb0ecc 6535
pyyaml_3.10-4+deb7u1.diff.gz
c47bd55ee5a7ba19b403fc090075ca079b37db43f5128ca5a396d8b3f06a30f5 176034
python-yaml_3.10-4+deb7u1_amd64.deb
34fd8e9952193c8fca48924316e0d90937db0efa98b03bbe14bd2ab9fc7b3001 168636
python-yaml-dbg_3.10-4+deb7u1_amd64.deb
7a7969149dad1a77a8973965d0586590101da6ed00ea1d991779459f021b0e24 105238
python3-yaml_3.10-4+deb7u1_amd64.deb
ba022dd06d2c687e3fcefb2b494c4c499d748dc499243d035ffeb469ae2e7d44 84276
python3-yaml-dbg_3.10-4+deb7u1_amd64.deb
Files:
4180e6eb4c4c1f011e9580057d82ad15 2193 python optional pyyaml_3.10-4+deb7u1.dsc
74c94a383886519e9e7b3dd1ee540247 241524 python optional pyyaml_3.10.orig.tar.gz
e1f3b69f2d3b7167f2bfac403ce99f40 6535 python optional
pyyaml_3.10-4+deb7u1.diff.gz
ca2eb20c56eaf7779fb10171f4cee9b6 176034 python optional
python-yaml_3.10-4+deb7u1_amd64.deb
99210f59b004904651a1ace9d1593c98 168636 debug extra
python-yaml-dbg_3.10-4+deb7u1_amd64.deb
ab74da300825221025233d102407b605 105238 python optional
python3-yaml_3.10-4+deb7u1_amd64.deb
3193abd088987ee27fed04a71bfd9928 84276 debug extra
python3-yaml-dbg_3.10-4+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUoIwXAAoJEBDCk7bDfE427z0P/2oP6tBxtKdvFj2x+p1j+xVp
kgmSzT/W1jexhIogVzoQ0SDjjo7uFH8B/Z0JoRxS/85wyIvN4kXXLF3/KL9ciT50
idgo3ez1+aC2ZT+BJFXeH6FCMK8KbR0FKY2piR5Q/GncFqNgBBslH2oVo+tt1/ov
pobUN8ieMwG1cGzzc4jnS5hO7GAPdni6l9WD/JQqJ61Q0ZWtciV7znrA7F/fTzuY
aZlmPLD5H8hisKi7kXUya7w0G6KwxRc9fivwJI4FQQwDsAEYG9KZNc1KhOXAFext
LNY9OK5G3I1HJCVnbcos0fQqY1/U1WrssI4StrBvo+b6RCa1KH6EBS//MaoBCzoM
oGz1uJFNy9R/vRhOH3XkzGo56z5hcjbmbducet3b2JLoNe0MSA66IHWWjWvAUkpe
gIGoACcnxpQS7OsS12qFTPFqGgl3ivbICmrKZu7joBC3kdvJX1G5y/NU73zxxjrw
PVmrMRkTSvOokUt8yZX7uqeaaw66rOrOKJ89aYMZFI8G0kX6Nb2Kyxgqjx27QP/R
Z0EYGy1gva7Y9w/7TzUNSgr9FyKfrdnKNsdU9vUemiyGP3wY6XE2UJFtgmDbk9bs
BWLzUjSivfZ8xJrbEqjNaB94HkweQsPze3IxebHipcwMF70I0O4UKZQlQKz1FC9C
VmTAeudLxb3XoM0RXvqA
=PSG1
-----END PGP SIGNATURE-----
--- End Message ---
