237501 – devel/py-yaml: Update to 5.1

Bug 237501 - devel/py-yaml: Update to 5.1

Summary: devel/py-yaml: Update to 5.1

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Josh Paetzel

URL:	https://github.com/yaml/pyyaml/blob/5...
Keywords:	security

Depends on:
Blocks:	237502
	Show dependency tree / graph

Reported:	2019-04-23 16:42 UTC by Sergey Akhmatov
Modified:	2020-01-13 03:25 UTC (History)
CC List:	4 users (show)

See Also:	241576

Flags:	koobs: maintainer-feedback+ koobs: merge-quarterly+

Attachments
py-yaml-5.1.patch (872 bytes, patch) 2019-04-23 16:42 UTC, Sergey Akhmatov	sergey: maintainer-approval? (jpaetzel)	Details \| Diff
vuxml for CVE-2017-18342 in py-yaml (1.48 KB, patch) 2019-04-23 16:44 UTC, Sergey Akhmatov	sergey: maintainer-approval? (jpaetzel)	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sergey Akhmatov 2019-04-23 16:42:51 UTC

Created attachment 203934 [details]
py-yaml-5.1.patch

Update devel/py-yaml to 5.1

ChangeLog: https://github.com/yaml/pyyaml/blob/5.1/announcement.msg
Fixed CVE: https://nvd.nist.gov/vuln/detail/CVE-2017-18342

QA:
poudriere testport: OK on 11.2, 12.0 with all flavors
runtest some ansible-playbooks

Comment 1 Sergey Akhmatov 2019-04-23 16:44:30 UTC

Created attachment 203935 [details]
vuxml for CVE-2017-18342 in py-yaml

Comment 2 Josh Paetzel freebsd_committer

2019-04-24 14:47:58 UTC

Approved

Comment 3 commit-hook freebsd_committer

2019-04-24 15:31:39 UTC

A commit references this bug:

Author: jpaetzel
Date: Wed Apr 24 15:30:41 UTC 2019
New revision: 499855
URL: https://svnweb.freebsd.org/changeset/ports/499855

Log:
  Document py-yaml vulnerability

  PR:	237501
  Submitted by:	sergey@akhmatov.ru
  Security:	CVE-2017-18342

Changes:
  head/security/vuxml/vuln.xml

Comment 4 commit-hook freebsd_committer

2019-04-24 15:34:45 UTC

A commit references this bug:

Author: jpaetzel
Date: Wed Apr 24 15:33:51 UTC 2019
New revision: 499857
URL: https://svnweb.freebsd.org/changeset/ports/499857

Log:
  Update to 5.1

  https://github.com/yaml/pyyaml/blob/5.1/announcement.msg

  =======================
   Announcing PyYAML-5.1
  =======================

  A new MAJOR RELEASE of PyYAML is now available:
  https://pypi.org/project/PyYAML/

  This is the first major release of PyYAML under the new maintenance team.

  Among the many changes listed below, this release specifically addresses the
  arbitrary code execution issue raised by:

      https://nvd.nist.gov/vuln/detail/CVE-2017-18342

  (See https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
  for complete details).
  ...

  PR:	237501
  Reported by:	sergey@akhmatov.ru

Changes:
  head/devel/py-yaml/Makefile
  head/devel/py-yaml/distinfo

Comment 5 Josh Paetzel freebsd_committer

2019-04-24 15:36:21 UTC

Committed, thanks!

Comment 6 Andres Montalban 2019-05-21 16:28:31 UTC

Hi,

This package was upgraded but was not proposed for MFH so I cannot upgrade.

Should I open another bug for secteam?

Thanks!

Comment 7 Josh Paetzel freebsd_committer

2019-05-21 17:00:13 UTC

No, I'll get it merged.

Comment 8 Kubilay Kocak freebsd_committer

2019-05-22 03:43:25 UTC

Re-open pending MFH

Comment 9 commit-hook freebsd_committer

2019-05-29 15:12:03 UTC

A commit references this bug:

Author: jpaetzel
Date: Wed May 29 15:11:11 UTC 2019
New revision: 502966
URL: https://svnweb.freebsd.org/changeset/ports/502966

Log:
  MFH: r499857

  Update to 5.1

  https://github.com/yaml/pyyaml/blob/5.1/announcement.msg

  =======================
   Announcing PyYAML-5.1
  =======================

  A new MAJOR RELEASE of PyYAML is now available:
  https://pypi.org/project/PyYAML/

  This is the first major release of PyYAML under the new maintenance team.

  Among the many changes listed below, this release specifically addresses the
  arbitrary code execution issue raised by:

      https://nvd.nist.gov/vuln/detail/CVE-2017-18342

  (See https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
  for complete details).
  ...

  PR:	237501
  Reported by:	sergey@akhmatov.ru

  Approved by:	ports-secteam (joneum)
  Security:	f6ea18bb-65b9-11e9-8b31-002590045d9c

Changes:
_U  branches/2019Q2/
  branches/2019Q2/devel/py-yaml/Makefile
  branches/2019Q2/devel/py-yaml/distinfo