Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow PyYAML 5.4.x #5887

Merged
merged 1 commit into from
Feb 19, 2021
Merged

Allow PyYAML 5.4.x #5887

merged 1 commit into from
Feb 19, 2021

Conversation

dcarley
Copy link
Contributor

@dcarley dcarley commented Jan 21, 2021

Description of changes:

PyYAML 5.4 was released a couple of days ago with a fix for:

The changes otherwise appear to be backwards compatible:

Being able to use a later version is important for companies that have
automatic dependency scanning for CVEs.

Issue #, if available:

N/A

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@nateprewitt nateprewitt mentioned this pull request Jan 22, 2021
Closed
@shivaylamba
Copy link

@dcarley can you fix merge conflicts

@dcarley
Allow PyYAML 5.4.x
a62b73b 
PyYAML 5.4 was released a couple of days ago with a fix for:

- https://ubuntu.com/security/CVE-2020-14343
- yaml/pyyaml#420
- https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

The changes otherwise appear to be backwards compatible:

- https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES

Being able to use a later version is important for companies that have
automatic dependency scanning for CVEs.
@dcarley
Copy link
Contributor Author

dcarley commented Feb 8, 2021

@dcarley can you fix merge conflicts

Sure, rebased against develop now. Nice to see those conditionals go 😄

@kdaily kdaily mentioned this pull request Feb 10, 2021
Closed
@tejaschumbalkar tejaschumbalkar mentioned this pull request Feb 16, 2021
Closed
14 tasks
@tejaschumbalkar
Copy link

What is the ETA for the PR merge and package release to pypi?

@tejaschumbalkar tejaschumbalkar mentioned this pull request Feb 16, 2021
Merged
8 tasks
@MihaiBojin
Copy link

Hi @dcarley @shivaylamba, PyYAML 5.3.1 (the version currently required by awscli) has a 9.6 CVVS vulnerability: https://snyk.io/vuln/SNYK-PYTHON-PYYAML-590151
If possible, can you please prioritize merging this PR and releasing awscli to PyPI?

Thank you!

@nateprewitt
Copy link
Member

Hi everyone,

Just to clarify, the CLI is not impacted by this CVE. We only use the safe_load API which was not part of the vulnerability. We're actively working on getting this fully validated and will have an upcoming release merging this to unblock use with other packages ASAP.

kyleknap
kyleknap approved these changes Feb 19, 2021
View reviewed changes
Copy link
Contributor

@kyleknap kyleknap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! 🚢

@kyleknap kyleknap merged commit afadc66 into aws:develop Feb 19, 2021
@fbaier-fn fbaier-fn mentioned this pull request Sep 16, 2022
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shivaylamba shivaylamba shivaylamba approved these changes

@kyleknap kyleknap kyleknap approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@dcarley @shivaylamba @tejaschumbalkar @MihaiBojin @nateprewitt @kyleknap