Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
37d9c23a by Emilio Pozuelo Monfort at 2020-03-03T12:54:14+01:00
CVE-2020-1747/pyyaml: mark as n/a on buster and older
These versions don't have FullLoader, only SafeLoader and Loader.
Loader is thus an unsafe one, and shouldn't be trusted to load
untrusted content, thus it doesn't need to be fixed and could break
programs that make use of it to load trusted yaml with special methods.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -20396,6 +20396,9 @@ CVE-2020-1748
CVE-2020-1747 [arbitrary command execution through python/object/new when
FullLoader is used]
RESERVED
- pyyaml <unfixed> (bug #953013)
+ [buster] - pyyaml <not-affected> (Loader/Constructor classes are unsafe
in this version)
+ [stretch] - pyyaml <not-affected> (Loader/Constructor classes are
unsafe in this version)
+ [jessie] - pyyaml <not-affected> (Loader/Constructor classes are unsafe
in this version)
NOTE: https://github.com/yaml/pyyaml/pull/386
CVE-2020-1746
RESERVED
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37d9c23a9253a598e6467960ed578def2a8d4db4
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37d9c23a9253a598e6467960ed578def2a8d4db4
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
