Bug#933922: src:salt: Unsafe use of yaml.load()

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#933922: src:salt: Unsafe use of yaml.load()

Scott Kitterman-5
Package: src:salt
Version: 2018.3.4+dfsg1-6
Severity: grave
Tags: security
Justification: user security hole

The new version of pyyaml no longer allows use of yaml.load() without a
loader being specifed.  This raises a deprecation warning which has
caused and autopkgtest failure on this package.  These are generally
trivial to fix, see the upstream guidance [1].

Scott K

[1] https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

Reply | Threaded
Open this post in threaded view
|

Bug#933922: [Pkg-salt-team] Bug#933922: src:salt: Unsafe use of yaml.load()

Benjamin Drung-6
Am Montag, den 05.08.2019, 01:41 -0400 schrieb Scott Kitterman:

> Package: src:salt
> Version: 2018.3.4+dfsg1-6
> Severity: grave
> Tags: security
> Justification: user security hole
>
> The new version of pyyaml no longer allows use of yaml.load() without
> a
> loader being specifed.  This raises a deprecation warning which has
> caused and autopkgtest failure on this package.  These are generally
> trivial to fix, see the upstream guidance [1].

This was already reported to upstream in
https://github.com/saltstack/salt/issues/39531 and was fixed by pull
request https://github.com/saltstack/salt/pull/40751

I will cherry-pick these changes.

--
Benjamin Drung
System Developer
Debian & Ubuntu Developer

1&1 IONOS Cloud GmbH | Greifswalder Str. 207 | 10405 Berlin | Germany
E-mail: [hidden email] | Web: www.ionos.de

Head Office: Berlin, Germany
District Court Berlin Charlottenburg, Registration number: HRB 125506 B
Executive Management: Christoph Steffens, Matthias Steinberg, Achim
Weiss

Member of United Internet

Reply | Threaded
Open this post in threaded view
|

Bug#933922: marked as pending in salt

Felix Geyer-5
In reply to this post by Scott Kitterman-5
Control: tag -1 pending

Hello,

Bug #933922 in salt reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/salt-team/salt/commit/ab64448c27bfa82502980204b570d1d8f1a6dce3

------------------------------------------------------------------------
Set default_flow_style=None in yaml.dump calls

Fix salt to work with python3-yaml 5.1.2-1.

Closes: #933922
Signed-off-by: Benjamin Drung <[hidden email]>
------------------------------------------------------------------------

(this message was generated automatically)
--
Greetings

https://bugs.debian.org/933922

Reply | Threaded
Open this post in threaded view
|

Bug#933922: marked as pending in salt

Felix Geyer-5
In reply to this post by Scott Kitterman-5
Control: tag -1 pending

Hello,

Bug #933922 in salt reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/salt-team/salt/commit/307770ff7b23e520a59bb03d2bea18f554648918

------------------------------------------------------------------------
Fix yamldumper test for both py2/py3

Fix salt to work with python3-yaml 5.1.2-1.

Closes: #933922
Signed-off-by: Benjamin Drung <[hidden email]>
------------------------------------------------------------------------

(this message was generated automatically)
--
Greetings

https://bugs.debian.org/933922

Reply | Threaded
Open this post in threaded view
|

Processed: Bug#933922 marked as pending in salt

Debian Bug Tracking System
In reply to this post by Scott Kitterman-5
Processing control commands:

> tag -1 pending
Bug #933922 [src:salt] src:salt: Unsafe use of yaml.load()
Added tag(s) pending.

--
933922: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933922
Debian Bug Tracking System
Contact [hidden email] with problems

Reply | Threaded
Open this post in threaded view
|

Processed: Bug#933922 marked as pending in salt

Debian Bug Tracking System
In reply to this post by Scott Kitterman-5
Processing control commands:

> tag -1 pending
Bug #933922 [src:salt] src:salt: Unsafe use of yaml.load()
Ignoring request to alter tags of bug #933922 to the same tags previously set

--
933922: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933922
Debian Bug Tracking System
Contact [hidden email] with problems

Reply | Threaded
Open this post in threaded view
|

Bug#933922: marked as done (src:salt: Unsafe use of yaml.load())

Debian Bug Tracking System
In reply to this post by Scott Kitterman-5
Your message dated Thu, 29 Aug 2019 17:08:29 +0000
with message-id <[hidden email]>
and subject line Bug#933922: fixed in salt 2018.3.4+dfsg1-7
has caused the Debian Bug report #933922,
regarding src:salt: Unsafe use of yaml.load()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
933922: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933922
Debian Bug Tracking System
Contact [hidden email] with problems

Package: src:salt
Version: 2018.3.4+dfsg1-6
Severity: grave
Tags: security
Justification: user security hole

The new version of pyyaml no longer allows use of yaml.load() without a
loader being specifed.  This raises a deprecation warning which has
caused and autopkgtest failure on this package.  These are generally
trivial to fix, see the upstream guidance [1].

Scott K

[1] https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

Source: salt
Source-Version: 2018.3.4+dfsg1-7

We believe that the bug you reported is fixed in the latest version of
salt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [hidden email],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Benjamin Drung <[hidden email]> (supplier of updated salt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [hidden email])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 29 Aug 2019 18:26:56 +0200
Source: salt
Architecture: source
Version: 2018.3.4+dfsg1-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Salt Team <[hidden email]>
Changed-By: Benjamin Drung <[hidden email]>
Closes: 933922
Changes:
 salt (2018.3.4+dfsg1-7) unstable; urgency=medium
 .
   * doc: Set script type explicitly to text/javascript
   * Use jquery.js from sphinx
   * Symlink vendor JavaScript files before building
   * Use dh_sphinxdoc
   * Fix various spelling mistakes
   * Fix salt to work with python3-yaml 5.1.2-1 (Closes: #933922):
     - Set default_flow_style=None in yaml.dump calls
     - Fix yamldumper test for both py2/py3
   * Bump Standards-Version to 4.4.0 (no changes needed)
   * Switch to debhelper 12
   * Add missing Pre-Depends on ${misc:Pre-Depends}
Checksums-Sha1:
 5c2a59a119bcb00a65e4955a6a38966f55e586e3 4066 salt_2018.3.4+dfsg1-7.dsc
 0d106e97e0a0cf10e5c6ffe4621d59b21a1efff7 103404 salt_2018.3.4+dfsg1-7.debian.tar.xz
 dc2d3526e585dce88a9ab9dbaa23bc6b0ed4dee3 13302 salt_2018.3.4+dfsg1-7_source.buildinfo
Checksums-Sha256:
 49201b11cf7f433d9e7c89f5d2e9ba7233c8c5b475611ecc047ca4ea1fb6e8d2 4066 salt_2018.3.4+dfsg1-7.dsc
 82c97432f0e17a7acc7b6ee9b0dc5a5e598699c19581934d615a0e3659317792 103404 salt_2018.3.4+dfsg1-7.debian.tar.xz
 f453ebfe10573bf1f28d563ce9f1ae43b242a60fcdc506b3fd6940d97d006223 13302 salt_2018.3.4+dfsg1-7_source.buildinfo
Files:
 3cefbe274509639efa66bbf3ad1b4323 4066 admin optional salt_2018.3.4+dfsg1-7.dsc
 c8bd45e3d96836ab2de75092cd0912ce 103404 admin optional salt_2018.3.4+dfsg1-7.debian.tar.xz
 2856bc378c29e8f3e72220e4d08c05e7 13302 admin optional salt_2018.3.4+dfsg1-7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/q3CzlQJ15towl13YzVpd6MfnoFAl1n/pQACgkQ3YzVpd6M
fnoKTQ/8Cmi5AnOHpfhAQdwQ05JMVCvQHm3fPvP0WoJ2kn4/L22Fz2wudbddIWev
dKobiRUcxv+qdGFvWNCBUDjQoQ+ox/fqaTzG5/LaYWwQICPtkEUgPOFThFD+JUGh
ax0p1UCk8tLarLn/Fji5mWUD+1iqcDcIgQZyR4htnkWCA4R2F8vYlm1/7u2f0uqG
QLxilScQdTt4wB4FhCOZAb5Q1s6bF5cEFUvhckqy2leeNdzzAQcxPnelcDY0YnP2
JNXJfmGqP4QrcOCctHQJaIh8OOgPRUXoszHN3EATXE1Z55tDydxhdHpx+klsMEX4
HFXXPsLXtNTYtKm2T4Cxl6nrlLpYGxWijVoVq4bhZ+wdxOdhVDRa7yyoHDixn8aI
7tvjug7Bzuejk7lWoERRAGZTvdl3bq63k9Ec/mcjvwiiTEBKZnoFANLcDUXOGoQ5
lCUlQQjoyr4WVr76c2E5MYgo90CQyjVaGEjRPA2jJiJbiupQZPckuqdFX+ORpwbP
8adqX5Jh+K/5uLkkFRgTAeu1jBH+oLpEbEgLc99+E5RQD5PdVN552FdwQCu9CJKq
PkK2N7R8fYCVnwJCJQAhdwk2FNLba8BEw1vGMmGqJfQ9yvD4giz1mgqfuO3yAiFG
spIcTV3iOP0y1ktVQq927xdG/wgO/o7grChMLwC91CcTQU0jjyI=
=j53j
-----END PGP SIGNATURE-----