Bug #1586078 “YaqlYamlLoader inherits from YamlLoader " : Bugs : python-muranoclient

Serg Melikyan (smelikyan) on 2016-05-26

Changed in python-muranoclient:
assignee:	nobody → Kirill Zaitsev (kzaitsev)
no longer affects:	python-muranoclient/0.5.x
description:	updated

Victor Ryzhenkin (vryzhenkin) on 2016-05-26

tags:

added: security

Revision history for this message

Kirill Zaitsev (kzaitsev) wrote on 2016-05-26:

#1

client.patch Edit (3.2 KiB, text/plain)

Revision history for this message

Kirill Zaitsev (kzaitsev) wrote on 2016-05-27:

#2

client-mitaka.patch Edit (3.2 KiB, text/plain)

Revision history for this message

Kirill Zaitsev (kzaitsev) wrote on 2016-05-27:

#3

client-liberty.patch Edit (3.2 KiB, text/plain)

Revision history for this message

Kirill Zaitsev (kzaitsev) wrote on 2016-05-27:

#4

client-kilo.patch Edit (2.7 KiB, text/plain)

Revision history for this message

Stan Lagun (slagun) wrote on 2016-05-27:

#5

looks good to be. Tried to test if it can cause old bugs to return again and seems that everything is okay now. However the patch for the engine is missing. And when changing YaqlYamlLoader there remember to change Constructor to SafeConstructor as well

Kirill Zaitsev (kzaitsev) on 2016-06-23

information type:

Private Security → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-23: Fix merged to python-muranoclient (master)

#6

Reviewed: https://review.openstack.org/333440
Committed: https://git.openstack.org/cgit/openstack/python-muranoclient/commit/?id=cd182ba363a11078ae7a0595f54751c1ebddd2e0
Submitter: Jenkins
Branch: master

commit cd182ba363a11078ae7a0595f54751c1ebddd2e0
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 01:04:31 2016 +0300

Use yaml.SafeLoader instead of yaml.Loader

    Before this patch yaml.Loader was used by the client to create custom
    yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is
    capable of creating custom python objects from specifically constructed
    yaml files.
    UI parsing functions also fell back to yaml.Loader if
    the custom loader was not supplied.
    After this patch all yaml load operations are performed with safe
    loaders instead.

Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b
Closes-Bug: #1586078

Changed in python-muranoclient:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-23: Fix merged to python-muranoclient (stable/mitaka)

#7

Reviewed: https://review.openstack.org/333443
Committed: https://git.openstack.org/cgit/openstack/python-muranoclient/commit/?id=e470430814ceddadea66d2e4bb3a9b10b55869e6
Submitter: Jenkins
Branch: stable/mitaka

commit e470430814ceddadea66d2e4bb3a9b10b55869e6
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 01:04:31 2016 +0300

Use yaml.SafeLoader instead of yaml.Loader

    Before this patch yaml.Loader was used by the client to create custom
    yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is
    capable of creating custom python objects from specifically constructed
    yaml files.
    UI parsing functions also fell back to yaml.Loader if
    the custom loader was not supplied.
    After this patch all yaml load operations are performed with safe
    loaders instead.

Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b
Closes-Bug: #1586078

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-23: Fix merged to python-muranoclient (stable/liberty)

#8

Reviewed: https://review.openstack.org/333444
Committed: https://git.openstack.org/cgit/openstack/python-muranoclient/commit/?id=b1e8a1753ccc3faf06840f675403645311ac9d79
Submitter: Jenkins
Branch: stable/liberty

commit b1e8a1753ccc3faf06840f675403645311ac9d79
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 01:04:31 2016 +0300

Use yaml.SafeLoader instead of yaml.Loader

    Before this patch yaml.Loader was used by the client to create custom
    yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is
    capable of creating custom python objects from specifically constructed
    yaml files.
    UI parsing functions also fell back to yaml.Loader if
    the custom loader was not supplied.
    After this patch all yaml load operations are performed with safe
    loaders instead.

Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b
Closes-Bug: #1586078

Kirill Zaitsev (kzaitsev) on 2016-06-24

description:

updated

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-06-27: Fix included in openstack/python-muranoclient 0.9.0

#9

This issue was fixed in the openstack/python-muranoclient 0.9.0 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-06-27: Fix included in openstack/python-muranoclient 0.8.5

#10

This issue was fixed in the openstack/python-muranoclient 0.8.5 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-06-27: Fix included in openstack/python-muranoclient 0.7.3

#11

This issue was fixed in the openstack/python-muranoclient 0.7.3 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10:

#12

This issue was fixed in the openstack/python-muranoclient 0.7.3 release.

	Status	Importance	Assigned to	Milestone
python-muranoclient	Fix Released	Critical	Kirill Zaitsev	python-muranoclient 0.9.0
Kilo	Won't Fix	Undecided	Unassigned	python-muranoclient 0.5.10
Liberty	Fix Committed	Critical	Kirill Zaitsev	python-muranoclient 0.7.3
Mitaka	Fix Committed	Critical	Kirill Zaitsev	python-muranoclient 0.8.5
Newton	Fix Released	Critical	Kirill Zaitsev	python-muranoclient 0.9.0

python-muranoclient

YaqlYamlLoader inherits from YamlLoader

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches