Bug 245937 - devel/py-yaml: Update to 5.3.1
Summary: devel/py-yaml: Update to 5.3.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Josh Paetzel
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-26 16:20 UTC by Daniel Engberg
Modified: 2020-04-28 14:53 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (jpaetzel)


Attachments
Patch for py-yaml (1.81 KB, patch)
2020-04-26 16:20 UTC, Daniel Engberg
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Engberg freebsd_committer 2020-04-26 16:20:15 UTC
Created attachment 213814 [details]
Patch for py-yaml

Update py-yaml to 5.3.1

Tested on FreeBSD 13.0-CURRENT #0 r358620 (AMD64) (VM)
Poudriere OK 12.1-RELEASE (AMD64)

Test report (make test):
TESTS: 2614
Comment 1 Josh Paetzel freebsd_committer 2020-04-27 18:52:44 UTC
Sounds lie this needs a vuxml entry and get merged to quarterly as well?
Comment 2 commit-hook freebsd_committer 2020-04-27 20:23:32 UTC
A commit references this bug:

Author: jpaetzel
Date: Mon Apr 27 20:22:43 UTC 2020
New revision: 533167
URL: https://svnweb.freebsd.org/changeset/ports/533167

Log:
  Update to 5.3.1

  This release contains a security fix for CVE-2020-1747. FullLoader was still
  exploitable for arbitrary command execution.
  https://bugzilla.redhat.com/show_bug.cgi?id=1807367

  Thanks to Riccardo Schirone (https://github.com/ret2libc) for both reporting
  this and providing the fixes to resolve it.

    - https://github.com/yaml/pyyaml/pull/386

  PR:	245937
  Submitted by:	daniel.engberg.lists@pyret.net
  MFH:	2020Q2
  Security:	http://vuxml.freebsd.org/freebsd/aae8fecf-888e-11ea-9714-08002718de91.html

Changes:
  head/devel/py-yaml/Makefile
  head/devel/py-yaml/distinfo
Comment 3 Josh Paetzel freebsd_committer 2020-04-27 20:26:28 UTC
Committed, thanks!
Comment 4 Daniel Engberg freebsd_committer 2020-04-27 20:45:42 UTC
Thanks, I managed to overlook the CVE. Sorry about that and thanks for fixing it!
Comment 5 commit-hook freebsd_committer 2020-04-28 14:53:22 UTC
A commit references this bug:

Author: jpaetzel
Date: Tue Apr 28 14:52:41 UTC 2020
New revision: 533252
URL: https://svnweb.freebsd.org/changeset/ports/533252

Log:
  MFH: r533167

  Update to 5.3.1

  This release contains a security fix for CVE-2020-1747. FullLoader was still
  exploitable for arbitrary command execution.
  https://bugzilla.redhat.com/show_bug.cgi?id=1807367

  Thanks to Riccardo Schirone (https://github.com/ret2libc) for both reporting
  this and providing the fixes to resolve it.

    - https://github.com/yaml/pyyaml/pull/386

  PR:	245937
  Submitted by:	daniel.engberg.lists@pyret.net
  Security:	http://vuxml.freebsd.org/freebsd/aae8fecf-888e-11ea-9714-08002718de91.html

  Approved by:	portmgr (joneum)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/devel/py-yaml/Makefile
  branches/2020Q2/devel/py-yaml/distinfo