Date: Wed, 2 Jun 2021 18:45:07 GMT From: Dmitry Marakasov <amdmi3@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 2acbd03da0c1 - main - security/vuxml: add entry for PyYAML CVE-2020-14343 Message-ID: <202106021845.152Ij70c028625@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by amdmi3: URL: https://cgit.FreeBSD.org/ports/commit/?id=2acbd03da0c12f63b77be9348b7f1d662322cc7d commit 2acbd03da0c12f63b77be9348b7f1d662322cc7d Author: Dmitry Marakasov <amdmi3@FreeBSD.org> AuthorDate: 2021-06-02 18:36:44 +0000 Commit: Dmitry Marakasov <amdmi3@FreeBSD.org> CommitDate: 2021-06-02 18:41:43 +0000 security/vuxml: add entry for PyYAML CVE-2020-14343 PR: 256220 --- security/vuxml/vuln.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index f59756dc1458..5e3fb6707996 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,42 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="c7ec6375-c3cf-11eb-904f-14dae9d5a9d2"> + <topic>PyYAML -- arbitrary code execution</topic> + <affects> + <package> + <name>py36-yaml</name> + <name>py37-yaml</name> + <name>py38-yaml</name> + <name>py39-yaml</name> + <range><lt>5.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>A vulnerability was discovered in the PyYAML library + in versions before 5.4, where it is susceptible to arbitrary + code execution when it processes untrusted YAML files + through the full_load method or with the FullLoader loader. + Applications that use the library to process untrusted + input may be vulnerable to this flaw. This flaw allows + an attacker to execute arbitrary code on the system by + abusing the python/object/new constructor. This flaw is + due to an incomplete fix for CVE-2020-1747.</p> + </body> + </description> + <references> + <cvename>CVE-2020-14343</cvename> + <url>https://github.com/yaml/pyyaml/issues/420</url>; + <url>https://access.redhat.com/security/cve/CVE-2020-14343</url>; + <url>https://bugzilla.redhat.com/show_bug.cgi?id=1860466</url>; + </references> + <dates> + <discovery>2020-07-22</discovery> + <entry>2021-06-02</entry> + </dates> + </vuln> + <vuln vid="e24fb8f8-c39a-11eb-9370-b42e99a1b9c3"> <topic>isc-dhcp -- remotely exploitable vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106021845.152Ij70c028625>