Skip to content

[fix][pulsar] Bump pyyaml from 5.3.1 to 5.4.1 to solve CVE-2020-14343 #15989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
codelipenghui merged 1 commit into from
Jun 9, 2022
Merged

[fix][pulsar] Bump pyyaml from 5.3.1 to 5.4.1 to solve CVE-2020-14343 #15989

codelipenghui merged 1 commit into from
Jun 9, 2022

Conversation

@utahkay
Copy link
Contributor

@utahkay utahkay commented Jun 8, 2022

Motivation

Apt-get latest version of python3-yaml is 5.3.1, but this version contains CVE-2020-14343.

Modifications

Use pip to install pyyaml in order to get a version without the vulnerability.

Verifying this change

  • Make sure that the change passes the CI checks.

Hopefully existing tests verify the functionality that pyyaml is used for.

Does this pull request potentially affect one of the following parts:

If yes was chosen, please highlight the changes

  • Dependencies (does it add or upgrade a dependency): Yes
  • The public API: don't know
  • The schema: don't know
  • The default values of configurations: don't know
  • The wire protocol: don't know
  • The rest endpoints: don't know
  • The admin cli options: don't know
  • Anything that affects deployment: don't know

Documentation

Check the box below or label this PR directly.

Need to update docs?

  • doc-required
    (Your PR needs to update docs and you will update later)

  • doc-not-needed
    Security fix; should not affect intended behavior.

  • doc
    (Your PR contains doc changes)

  • doc-complete
    (Docs have been already added)

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Jun 8, 2022
@merlimat merlimat added this to the 2.11.0 milestone Jun 8, 2022
@codelipenghui codelipenghui merged commit 75fecd0 into apache:master Jun 9, 2022
merlimat pushed a commit that referenced this pull request Jun 9, 2022
@merlimat
[fix][pulsar] Bump pyyaml from 5.3.1 to 5.4.1 to solve CVE-2020-14343 (
d8a3048 
…#15989)
merlimat pushed a commit that referenced this pull request Jun 9, 2022
@merlimat
[fix][pulsar] Bump pyyaml from 5.3.1 to 5.4.1 to solve CVE-2020-14343 (
ec09b60 
…#15989)
nicoloboschi pushed a commit to datastax/pulsar that referenced this pull request Jun 13, 2022
@nicoloboschi
[fix][pulsar] Bump pyyaml from 5.3.1 to 5.4.1 to solve CVE-2020-14343 (
ae7cd9c 
…apache#15989)

(cherry picked from commit d8a3048)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@merlimat merlimat merlimat approved these changes

@hangc0276 hangc0276 hangc0276 approved these changes

@codelipenghui codelipenghui codelipenghui approved these changes

@hezhangjian hezhangjian hezhangjian approved these changes

Assignees

@utahkay utahkay

Labels

area/security cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 doc-not-needed Your PR changes do not impact docs release/2.9.3 release/2.10.1

Projects

None yet

Milestone

2.11.0

Development

Successfully merging this pull request may close these issues.

5 participants

@utahkay @merlimat @hangc0276 @codelipenghui @hezhangjian