oslo.config

Security Vulnerability in PyYAML-3.x: upgrade needed

Bug #1839398 reported by Mario Luan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
oslo.config
Fix Released
Medium
Unassigned

Bug Description

PyYAML-3.x has a "Improper Input Validation" security vulnerability [1].

This dependency should be upgraded to at least 5.x in order to resolve this issue.

[1] https://nvd.nist.gov/vuln/detail/CVE-2017-18342

Tags: security

CVE References

Revision history for this message
Ben Nemec (bnemec) wrote :

Converting to public as I've pushed a patch for this in https://review.opendev.org/c/openstack/oslo.config/+/776481

Also, it's not really a vulnerability in oslo.config itself, so it's probably just as well that our users be able to see that they should use a newer PyYAML.

Changed in oslo.config:
importance: Undecided → Medium
status: New → Triaged
information type: Private Security → Public Security
Jeremy Stanley (fungi)
Changed in ossa:
status: New → Won't Fix
information type: Public Security → Public
tags: added: security
Revision history for this message
Jeremy Stanley (fungi) wrote :

Yes, this isn't an OpenStack vulnerability, the VMT is considering it a class C2 report (A vulnerability, but not in OpenStack supported code, e.g., in a dependency): https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Though in reality, I disagree with the premise of CVE-2017-18342 altogether. The pyyaml documentation always made it quite clear that the load() function was not safe for use with untrusted inputs and offered a safe_load() alternative which lacked the ability to evaluate arbitrary Python expressions. The vulnerability was not within pyyaml, but in the individual projects which chose to use it in clearly unsafe ways (and I do not think the uses of load() by oslo.config were patently unsafe). The pyyaml maintainers have chosen to make a non-backward-compatible change to load() so that it's synonymous with safe_load(), which strikes me as a reasonable decision, but that doesn't mean that all uses of the old version are instantly a liability.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/oslo.config 8.5.0

This issue was fixed in the openstack/oslo.config 8.5.0 release.

Daniel Bengtsson (damani42)
Changed in oslo.config:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.