Skip to content

Allow PyYAML 5.4.x#5887

Merged
kyleknap merged 1 commit into
aws:developfrom
dcarley:dcarley/pyyaml54
Feb 19, 2021
Merged

Allow PyYAML 5.4.x#5887
kyleknap merged 1 commit into
aws:developfrom
dcarley:dcarley/pyyaml54

Conversation

@dcarley
Copy link
Copy Markdown
Contributor

@dcarley dcarley commented Jan 21, 2021

Description of changes:

PyYAML 5.4 was released a couple of days ago with a fix for:

The changes otherwise appear to be backwards compatible:

Being able to use a later version is important for companies that have
automatic dependency scanning for CVEs.

Issue #, if available:

N/A

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@nateprewitt nateprewitt mentioned this pull request Jan 22, 2021
Closed
@shivaylamba
Copy link
Copy Markdown

shivaylamba commented Feb 7, 2021

@dcarley can you fix merge conflicts

@dcarley
Allow PyYAML 5.4.x
a62b73b 
PyYAML 5.4 was released a couple of days ago with a fix for:

- https://ubuntu.com/security/CVE-2020-14343
- yaml/pyyaml#420
- https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

The changes otherwise appear to be backwards compatible:

- https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES

Being able to use a later version is important for companies that have
automatic dependency scanning for CVEs.
@dcarley
Copy link
Copy Markdown
Contributor Author

dcarley commented Feb 8, 2021

@dcarley can you fix merge conflicts

Sure, rebased against develop now. Nice to see those conditionals go 😄

@kdaily kdaily mentioned this pull request Feb 10, 2021
Closed
@tejaschumbalkar tejaschumbalkar mentioned this pull request Feb 16, 2021
Closed
14 tasks
@tejaschumbalkar
Copy link
Copy Markdown

tejaschumbalkar commented Feb 16, 2021

What is the ETA for the PR merge and package release to pypi?

@tejaschumbalkar tejaschumbalkar mentioned this pull request Feb 16, 2021
Merged
8 tasks
@MihaiBojin
Copy link
Copy Markdown

MihaiBojin commented Feb 17, 2021

Hi @dcarley @shivaylamba, PyYAML 5.3.1 (the version currently required by awscli) has a 9.6 CVVS vulnerability: https://snyk.io/vuln/SNYK-PYTHON-PYYAML-590151
If possible, can you please prioritize merging this PR and releasing awscli to PyPI?

Thank you!

@nateprewitt
Copy link
Copy Markdown
Contributor

nateprewitt commented Feb 18, 2021

Hi everyone,

Just to clarify, the CLI is not impacted by this CVE. We only use the safe_load API which was not part of the vulnerability. We're actively working on getting this fully validated and will have an upcoming release merging this to unblock use with other packages ASAP.

kyleknap
kyleknap approved these changes Feb 19, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@kyleknap kyleknap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! 🚢

@kyleknap kyleknap merged commit afadc66 into aws:develop Feb 19, 2021
@fbaier-fn fbaier-fn mentioned this pull request Sep 16, 2022
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@kyleknap kyleknap kyleknap approved these changes

@shivaylamba shivaylamba shivaylamba approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@dcarley @shivaylamba @tejaschumbalkar @MihaiBojin @nateprewitt @kyleknap