Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please port to a newer version of PyYAML #4042

Closed
glaubitz opened this issue Apr 3, 2019 · 10 comments
Closed

Please port to a newer version of PyYAML #4042

glaubitz opened this issue Apr 3, 2019 · 10 comments
Assignees
@justnance

Comments

@glaubitz
Copy link

glaubitz commented Apr 3, 2019

The current upstream release of PyYAML is 5.1 while aws-cli still depends on PyYAML <= 3.13.

Would be nice if aws-cli could be ported to the latest version of PyYAML that version dependency could be raised to 5.1 or higher.
@kabbedijk
Copy link

The PR for this is already approved and waiting for merge.
#4015 (comment)

It is taking quite some time though :)

@glaubitz
Copy link
Author

glaubitz commented Apr 9, 2019

Thanks. I'll look into cherry-picking the patch for openSUSE later today then.

@justnance justnance self-assigned this Apr 12, 2019
@justnance justnance added the duplicate This issue is a duplicate. label Apr 12, 2019
@justnance
Copy link

@glaubitz - Thanks for your post. I have updated our internal collaboration on this issue. We are tracking this work under #3660 and #2290. To avoid duplicate efforts I'm closing this issue.

@asottile
Copy link
Contributor

@justnance neither of those issues are relevant to allowing a newer pyyaml, could you please reopen this and/or review the patch in #4015?

thomlinton added a commit to PSU-OIT-ARC/oregoninvasiveshotline that referenced this issue Apr 23, 2019
@thomlinton
Adds additional requirement to avoid vulnerability.
df7eb7e 
The 'awscli' package has not yet revised its requirements in order
to support an adequate version of the 'PyYAML' package; until such
time, manual intervention is required when attempting to use this
library or the CLI tool.

To workaround this incompatibility, install a supported version:

  pip install PyYAML>3.10,<=3.13

Refs: https://nvd.nist.gov/vuln/detail/CVE-2017-18342
Refs: aws/aws-cli#4042
Refs: aws/aws-cli#4015
thomlinton added a commit to PSU-OIT-ARC/oregoninvasiveshotline that referenced this issue Apr 23, 2019
@thomlinton
Adds additional requirement to avoid vulnerability.
49bda06 
The 'awscli' package has not yet revised its requirements in order
to support an adequate version of the 'PyYAML' package; until such
time, manual intervention is required when attempting to use this
library or the CLI tool.

To workaround this incompatibility, install a supported version:

  pip install PyYAML>3.10,<=3.13

Refs: https://nvd.nist.gov/vuln/detail/CVE-2017-18342
Refs: aws/aws-cli#4042
Refs: aws/aws-cli#4015
@justnance justnance reopened this Apr 25, 2019
@Philmod Philmod mentioned this issue May 17, 2019
Closed
@ViktorHaag ViktorHaag mentioned this issue May 30, 2019
Closed
@SeppPenner
Copy link

The currently used PyYAML@3.13 contains a Arbitrary Code Execution issue. Check https://app.snyk.io/vuln/SNYK-PYTHON-PYYAML-42159 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342 for more information. (Just as reference for the duplicate issue I added here: #4193).

@tysonclugg tysonclugg mentioned this issue Jun 11, 2019
Closed
@rigogsilva
Copy link

UP, UP, UP. please!!!

@justnance justnance removed the duplicate This issue is a duplicate. label Jul 8, 2019
@justnance justnance added the pr:needs-review This PR needs a review from a Member. label Jul 25, 2019
@justnance
Copy link

@asottile - Thanks for referencing #4015 and commenting in merged PR #4231. I'm looking into confirming this issue is resolve before closing. thanks.

@asottile
Copy link
Contributor

For 5.1 this is done, but now there's a 5.1.1

After the last snub in my previous PR I'm not really inclined to try and fix this one

This was referenced Jul 28, 2019
Closed
Closed
@justnance justnance removed the pr:needs-review This PR needs a review from a Member. label Jul 28, 2019
@justnance
Copy link

justnance commented Jul 28, 2019
edited
Loading

@asottile - Thanks again for the feedback. I've confirmed the behavior with PyYAML 5.1.1 under #4350 and labeled this issue as enhancement. We are working on getting fixed under PR #4355.

related to: #4350 #4243

@justnance justnance mentioned this issue Jul 28, 2019
Closed
@justnance justnance added the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Jul 29, 2019
@chmreid chmreid mentioned this issue Aug 5, 2019
Closed
@chmreid chmreid mentioned this issue Aug 13, 2019
Merged
@kyleknap kyleknap removed investigating This issue is being investigated and/or work is in progress to resolve the issue. enhancement labels Aug 26, 2019
@joguSD
Copy link
Contributor

joguSD commented Aug 30, 2019

The version range has been updated, closing this out.

@joguSD joguSD closed this as completed Aug 30, 2019
rosbo added a commit to Kaggle/docker-python that referenced this issue Feb 7, 2020
@rosbo
Remove manual install of allennlp dependencies
65379d5 
The dependency on `PyYAML` causing issue has been removed: aws/aws-cli#4042 

See #548 and aws/aws-cli#4042
@rosbo rosbo mentioned this issue Feb 7, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justnance justnance

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@kabbedijk @glaubitz @asottile @joguSD @kyleknap @SeppPenner @rigogsilva @justnance