[Buildroot] [git commit] package/python-pyyaml: security bump to version 5.4.1

Peter Korsgaard peter at korsgaard.com
Sun Mar 14 20:21:48 UTC 2021

>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:

 > commit:
 > https://git.buildroot.net/buildroot/commit/?id=de43a9775d4646035b18eb5737e5fa4cd2eeedea
 > branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

 > Fix CVE-2020-14343: A vulnerability was discovered in the PyYAML library
 > in versions before 5.4, where it is susceptible to arbitrary code
 > execution when it processes untrusted YAML files through the full_load
 > method or with the FullLoader loader. Applications that use the library
 > to process untrusted input may be vulnerable to this flaw. This flaw
 > allows an attacker to execute arbitrary code on the system by abusing
 > the python/object/new constructor. This flaw is due to an incomplete fix
 > for CVE-2020-1747.

 > Update hash of LICENSE file (update in year:
 > https://github.com/yaml/pyyaml/commit/58d0cb7ee09954c67fabfbd714c5673b03e7a9e1)

 > https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
 > Signed-off-by: Yann E. MORIN <yann.morin.1998 at free.fr>

Committed to 2020.02.x and 2020.11.x, thanks.

Bye, Peter Korsgaard

More information about the buildroot mailing list