Fix CVE-2020-14343: A vulnerability was discovered in the PyYAML library
in versions before 5.4, where it is susceptible to arbitrary code
execution when it processes untrusted YAML files through the full_load
method or with the FullLoader loader. Applications that use the library
to process untrusted input may be vulnerable to this flaw. This flaw
allows an attacker to execute arbitrary code on the system by abusing
the python/object/new constructor. This flaw is due to an incomplete fix
for CVE-2020-1747.
Update hash of LICENSE file (update in year:
58d0cb7ee0)
https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The hash of the license file changed due to the following diff:
-Copyright (c) 2017-2019 Ingy döt Net
+Copyright (c) 2017-2020 Ingy döt Net
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2017-18342: In PyYAML before 4.1, the yaml.load() API
could execute arbitrary code.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The recommended form is without the trailing slash, and will become
mandatory in a coming commit.
This avoids the need for the $$($(2)_SITE:/=) magic in package/pkg-generic.mk
to avoid double slashes in download URLs, like
"https://mosh.mit.edu//mosh-1.2.5.tar.gz".
^^
Note: this work has already been done in b0b9606530 a few
months ago and earlier in c7f4b96471 and 4a9eb20de8,
but no check has been added at that time to avoid new slashes to slip
in, and so they did. This time a patch will follow immediately to
prevent future mistakes from being unnoticed.
Mass-replaced with the following command:
git grep -l '_SITE.*/$' | xargs sed -i '/_SITE.*=/s|/$||'
Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Thomas:
- use 'select' rather than 'depends on' for the yaml library
dependency
- add hash file.
- add upstream URL in Config.in help text
- rework commit title.]
Signed-off-by: Geoffrey Ragot <geoffrey.ragot@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
