Upgrade scenarioplayer's pyyaml dependency#3231
Conversation
|
(I tried to look up why the fix is not in the stable release. I found a hot discussion yaml/pyyaml#194 .) |
|
@pirapira it's not our problem -- pyyaml is only used by scenario player so there is no real security issue for us at all. It's just to silence the github citical vulnerability emails. |
|
There's already 4.2b4 released by now. IMO we should just wait a few more days until they have the final 4.2 out. No sense updating to a possibly unstable beta release. |
|
@ulope Is it a few more days? IF so sure I can keep the PR open and update when released.. Can you give me a link to the upcoming stable release plan? But judging by their release history of "stable" releases: https://pypi.org/project/PyYAML/#history There is a 2 year difference between each of the last 3 stable patch releases. I am not going to have the github critical vulnerability emails for another 1.5 years ^_^ |
|
Right, I didn't realize the 4.2b4 is already that old. |
Pyyaml had an arbitrary code execution vulnerability in previous versions. Check https://nvd.nist.gov/vuln/detail/CVE-2017-18342
ulope
force-pushed
the
upgrade_pyyaml_for_scenarioplayer
branch
from
2c9fcd0 to
9b3eb6f
Compare
ulope
left a comment
ulope
left a comment
There was a problem hiding this comment.
Works fine with the scenario player.
I've updated the version to 4.2.b4
4 participants
Pyyaml had an arbitrary code execution vulnerability in previous
versions.
Check https://nvd.nist.gov/vuln/detail/CVE-2017-18342
@ulope please take a look