0.121.0
what
- Update multiple tools from cloudposse/packages#233
- Update
aws-cli
1.16.209 -> 1.16.226 - Update
ansible
2.7.12 -> 2.8.4
why
Bring in bug and security fixes and new features
Security note
PyYAML is pinned to version 3.13 because that is the latest version that awsebcli
supports. This version of PyYAML has a known vulnerability, CVE-2017-18342, summarized as "the yaml.load() API could execute arbitrary code if used with untrusted data."
At the moment, the only tools Geodesic ships with that use PyYAML (as far as we have been able to determine) are awscli
and awsebcli
. (The yq
command included in Geodesic is a golang tool and not the python-yq
that uses PyYAML.)
awscli
says their tool is not affected by the vulnerability: aws/aws-cli#3828- We can find no public statement about
awsebcli
and CVE-2017-18342
Users of awsebcli
or who install their own Python packages should take appropriate precautions.
Special note about this release:
Due to operational errors, the 0.121.0 release was incorrectly published twice, once as 1.121.0 and once as 0.121.0 but pointing to the wrong commit. Users may want to avoid this release in favor of the prior 0.120.4 or next 0.122.0 release to avoid confusion. However, you can verify which version you have by examining these points:
- The correct commit for release 0.121.0 is 4f55f6a
- 0.121.0 has awscli==1.16.226 while the previous release has awscli==1.16.209
- 0.121.0 does not have
rootfs/usr/local/bin/codefresh-pipeline
while the next release does