Date: Wed, 24 Apr 2019 20:28:27 +0200 From: Jochen Neumeister <joneum@FreeBSD.org> To: Josh Paetzel <jpaetzel@FreeBSD.org>, ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r499855 - head/security/vuxml Message-ID: <f3a70f01-d96b-44a9-9897-4ce3d48fa494@FreeBSD.org> In-Reply-To: <201904241530.x3OFUeUg008218@repo.freebsd.org> References: <201904241530.x3OFUeUg008218@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24.04.19 17:30, Josh Paetzel wrote: > Author: jpaetzel > Date: Wed Apr 24 15:30:40 2019 > New Revision: 499855 > URL: https://svnweb.freebsd.org/changeset/ports/499855 > > Log: > Document py-yaml vulnerability > > PR: 237501 > Submitted by: sergey@akhmatov.ru > Security: CVE-2017-18342 Where is: Security: f6ea18bb-65b9-11e9-8b31-002590045d9c MFH: 2019Q2 Greetings > > Modified: > head/security/vuxml/vuln.xml > > Modified: head/security/vuxml/vuln.xml > ============================================================================== > --- head/security/vuxml/vuln.xml Wed Apr 24 15:13:52 2019 (r499854) > +++ head/security/vuxml/vuln.xml Wed Apr 24 15:30:40 2019 (r499855) > @@ -58,6 +58,37 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > + <vuln vid="f6ea18bb-65b9-11e9-8b31-002590045d9c"> > + <topic>py-yaml -- arbitrary code execution</topic> > + <affects> > + <package> > + <name>py27-yaml</name> > + <name>py35-yaml</name> > + <name>py36-yaml</name> > + <name>py37-yaml</name> > + <range><lt>4.1</lt></range> > + </package> > + </affects> > + <description> > + <body xmlns="http://www.w3.org/1999/xhtml">; > + <p>pyyaml reports:</p> > + <blockquote cite="https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation">; > + <p>the PyYAML.load function could be easily exploited to call any Python > + function. That means it could call any system command using os.system()</p> > + </blockquote> > + </body> > + </description> > + <references> > + <cvename>CVE-2017-18342</cvename> > + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342</url>; > + <url>https://github.com/yaml/pyyaml/pull/74</url>; > + </references> > + <dates> > + <discovery>2018-06-27</discovery> > + <entry>2019-04-23</entry> > + </dates> > + </vuln> > + > <vuln vid="a207bbd8-6572-11e9-8e67-206a8a720317"> > <topic>FreeBSD -- EAP-pwd message reassembly issue with unexpected fragment</topic> > <affects> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f3a70f01-d96b-44a9-9897-4ce3d48fa494>