Bug 237501 - devel/py-yaml: Update to 5.1
Summary: devel/py-yaml: Update to 5.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Josh Paetzel
URL: https://github.com/yaml/pyyaml/blob/5...
Keywords: security
Depends on:
Blocks: 237502
  Show dependency treegraph
 
Reported: 2019-04-23 16:42 UTC by Sergey Akhmatov
Modified: 2020-01-13 03:25 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly+


Attachments
py-yaml-5.1.patch (872 bytes, patch)
2019-04-23 16:42 UTC, Sergey Akhmatov
sergey: maintainer-approval? (jpaetzel)
Details | Diff
vuxml for CVE-2017-18342 in py-yaml (1.48 KB, patch)
2019-04-23 16:44 UTC, Sergey Akhmatov
sergey: maintainer-approval? (jpaetzel)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sergey Akhmatov 2019-04-23 16:42:51 UTC
Created attachment 203934 [details]
py-yaml-5.1.patch

Update devel/py-yaml to 5.1

ChangeLog: https://github.com/yaml/pyyaml/blob/5.1/announcement.msg
Fixed CVE: https://nvd.nist.gov/vuln/detail/CVE-2017-18342

QA:
poudriere testport: OK on 11.2, 12.0 with all flavors
runtest some ansible-playbooks
Comment 1 Sergey Akhmatov 2019-04-23 16:44:30 UTC
Created attachment 203935 [details]
vuxml for CVE-2017-18342 in py-yaml
Comment 2 Josh Paetzel freebsd_committer 2019-04-24 14:47:58 UTC
Approved
Comment 3 commit-hook freebsd_committer 2019-04-24 15:31:39 UTC
A commit references this bug:

Author: jpaetzel
Date: Wed Apr 24 15:30:41 UTC 2019
New revision: 499855
URL: https://svnweb.freebsd.org/changeset/ports/499855

Log:
  Document py-yaml vulnerability

  PR:	237501
  Submitted by:	sergey@akhmatov.ru
  Security:	CVE-2017-18342

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer 2019-04-24 15:34:45 UTC
A commit references this bug:

Author: jpaetzel
Date: Wed Apr 24 15:33:51 UTC 2019
New revision: 499857
URL: https://svnweb.freebsd.org/changeset/ports/499857

Log:
  Update to 5.1

  https://github.com/yaml/pyyaml/blob/5.1/announcement.msg

  =======================
   Announcing PyYAML-5.1
  =======================

  A new MAJOR RELEASE of PyYAML is now available:
  https://pypi.org/project/PyYAML/

  This is the first major release of PyYAML under the new maintenance team.

  Among the many changes listed below, this release specifically addresses the
  arbitrary code execution issue raised by:

      https://nvd.nist.gov/vuln/detail/CVE-2017-18342

  (See https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
  for complete details).
  ...

  PR:	237501
  Reported by:	sergey@akhmatov.ru

Changes:
  head/devel/py-yaml/Makefile
  head/devel/py-yaml/distinfo
Comment 5 Josh Paetzel freebsd_committer 2019-04-24 15:36:21 UTC
Committed, thanks!
Comment 6 Andres Montalban 2019-05-21 16:28:31 UTC
Hi,

This package was upgraded but was not proposed for MFH so I cannot upgrade.

Should I open another bug for secteam?

Thanks!
Comment 7 Josh Paetzel freebsd_committer 2019-05-21 17:00:13 UTC
No, I'll get it merged.
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2019-05-22 03:43:25 UTC
Re-open pending MFH
Comment 9 commit-hook freebsd_committer 2019-05-29 15:12:03 UTC
A commit references this bug:

Author: jpaetzel
Date: Wed May 29 15:11:11 UTC 2019
New revision: 502966
URL: https://svnweb.freebsd.org/changeset/ports/502966

Log:
  MFH: r499857

  Update to 5.1

  https://github.com/yaml/pyyaml/blob/5.1/announcement.msg

  =======================
   Announcing PyYAML-5.1
  =======================

  A new MAJOR RELEASE of PyYAML is now available:
  https://pypi.org/project/PyYAML/

  This is the first major release of PyYAML under the new maintenance team.

  Among the many changes listed below, this release specifically addresses the
  arbitrary code execution issue raised by:

      https://nvd.nist.gov/vuln/detail/CVE-2017-18342

  (See https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
  for complete details).
  ...

  PR:	237501
  Reported by:	sergey@akhmatov.ru

  Approved by:	ports-secteam (joneum)
  Security:	f6ea18bb-65b9-11e9-8b31-002590045d9c

Changes:
_U  branches/2019Q2/
  branches/2019Q2/devel/py-yaml/Makefile
  branches/2019Q2/devel/py-yaml/distinfo