Created attachment 213814 [details] Patch for py-yaml Update py-yaml to 5.3.1 Tested on FreeBSD 13.0-CURRENT #0 r358620 (AMD64) (VM) Poudriere OK 12.1-RELEASE (AMD64) Test report (make test): TESTS: 2614
Sounds lie this needs a vuxml entry and get merged to quarterly as well?
A commit references this bug: Author: jpaetzel Date: Mon Apr 27 20:22:43 UTC 2020 New revision: 533167 URL: https://svnweb.freebsd.org/changeset/ports/533167 Log: Update to 5.3.1 This release contains a security fix for CVE-2020-1747. FullLoader was still exploitable for arbitrary command execution. https://bugzilla.redhat.com/show_bug.cgi?id=1807367 Thanks to Riccardo Schirone (https://github.com/ret2libc) for both reporting this and providing the fixes to resolve it. - https://github.com/yaml/pyyaml/pull/386 PR: 245937 Submitted by: daniel.engberg.lists@pyret.net MFH: 2020Q2 Security: http://vuxml.freebsd.org/freebsd/aae8fecf-888e-11ea-9714-08002718de91.html Changes: head/devel/py-yaml/Makefile head/devel/py-yaml/distinfo
Committed, thanks!
Thanks, I managed to overlook the CVE. Sorry about that and thanks for fixing it!
A commit references this bug: Author: jpaetzel Date: Tue Apr 28 14:52:41 UTC 2020 New revision: 533252 URL: https://svnweb.freebsd.org/changeset/ports/533252 Log: MFH: r533167 Update to 5.3.1 This release contains a security fix for CVE-2020-1747. FullLoader was still exploitable for arbitrary command execution. https://bugzilla.redhat.com/show_bug.cgi?id=1807367 Thanks to Riccardo Schirone (https://github.com/ret2libc) for both reporting this and providing the fixes to resolve it. - https://github.com/yaml/pyyaml/pull/386 PR: 245937 Submitted by: daniel.engberg.lists@pyret.net Security: http://vuxml.freebsd.org/freebsd/aae8fecf-888e-11ea-9714-08002718de91.html Approved by: portmgr (joneum) Changes: _U branches/2020Q2/ branches/2020Q2/devel/py-yaml/Makefile branches/2020Q2/devel/py-yaml/distinfo