-
Notifications
You must be signed in to change notification settings - Fork 45
Upgrade PyYAML package from PyYAML-5.1.2.tar.gz to PyYAML 5.4.1 #271
Comments
This issue/pull request has been marked as |
This issue/pull request has been marked as |
This issue/pull request has been marked as |
All components needs to bump up the Py-Yaml version. RE needs to use this version in the third party repo. |
This issue/pull request has been marked as |
Initial build after making changes to custom build pipeline worked. PyYAML 5.4.1 library is now uploaded for custom build.
Thanks [~936455]
Besides changes to PyYAML version in cortx-re, then next step required to update PyYAML version in cortx-utils repository as well. Next build with changes to cortx-re and cortx-utils build is failing
[~938581] and [~729494] are working on correcting Jenkin pipeline and will update once pipeline is corrected |
[~936818], there are a few changes required in the hare repo as well. because if we build a job using the latest 5.4.1 PyYAML version. In the "hare" repo, it will be trying to install the 5.4.3 PyYAML package which is present in - [https://github.com/Seagate/cortx-hare/blob/main/hax/requirements.txt] and [https://github.com/Seagate/cortx-hare/blob/main/provisioning/miniprov/requirements.txt.] and also we have to do the same thing in "cortx-utils" repo as well - https://github.com/Seagate/cortx-utils/blob/main/py-utils/python_requirements.txt |
[~729494] successful build job URL - [http://eos-jenkins.colo.seagate.com/job/Release_Engineering/job/re-workspace/job/custom-ci-test-EOS-25657/68/console] |
{panel:bgColor=#c1c7d0}h2. cortx-ha - main branch build pipeline SUCCESS
|
done with the changes |
changes got merge to main |
Reopening this bug |
Work done so far
I wanted to check on following questions
1 - Is this approach of deploying build in non clustered environment correct ? OR should we try deployment in kubernetes environment (which is relevant for LC)? |
From the earlier build experience, we know that changes in terms of 5.1.2 to 5.4.1 to following repos are required. But for this experiement , lets make changes to following repos RE Utils Ha Hare Following files refers to 5.4.3 , so I updated them to 5.4.1 Till this point build and deployment was tested and build was getting successful, but deployment was showing 5.1.2 prvsnr srv/components/system/files/cortx_py_utils_requirements.txt An image is build based on changes to these repos. Then image is run to check PyYAML version and it gave following output
[root@ssc-vm-g3-rhev4-2777 ~]# docker run --rm ghcr.io/seagate/cortx-all:2.0.0-1265-custom-ci pip3 show PyYAML
This means, when files in pvrsnr were changed, final PyYAML version remains 5.4.1 So changes in prvsnr doe upgrade of PyYAML.. Further in order to confirm this theory, I am changing pvrsnr to PyYAML 5.1.2 and will build the image. Meanwhile, I will also continue deployment of the image which has 5.4.1 to continue for subsequent tests
|
Testing for this library upgrade is complete PRs will have code changes for
|
Closing this bug now, as the libraries are upgraded |
This library is now upgraded to 5.4.1 So closing this issue. |
This library is upgraded , so closing this issue now. |
{panel:bgColor=#c1c7d0}h2. cortx-ha - main branch build pipeline SUCCESS
|
Reopening this issue, as cortx-test repository refers to PyYAML 5.1.2 , which needs to be upgraded Regards |
PyYAML vulnerability is no more reported in Mend for cortx-test. So closing this defect as fixed |
3 similar comments
PyYAML vulnerability is no more reported in Mend for cortx-test. So closing this defect as fixed |
PyYAML vulnerability is no more reported in Mend for cortx-test. So closing this defect as fixed |
PyYAML vulnerability is no more reported in Mend for cortx-test. So closing this defect as fixed |
[~521878] can you close this if there is a agreement this is addressed. [~744427] Do we need someone from Opensource or something (because this appears to be BoardGenius) to take action to close? |
Cortx-test has updated PyYaml version and we are using pyyaml==6.0.0 now.
|
Closing as per last comment. cc: [~932497] |
This Bug is now used to upgrade PyYAML library from v 5.1.2 to 5.4.1
There are multiple vulnerabilities with following CVEs,
CVE-2020-1747
CVE-2019-20477
CVE-2020-14343
CVE-2019-20477
These vulnerabilities are expected to be fixed because of this upgrade
Description of sample vulnerability is mentioned below.
CVE-2020-14343 - High Severity Vulnerability
Vulnerable Library - PyYAML-5.1.2.tar.gz
YAML parser and emitter for Python
Library home page: [https://files.pythonhosted.org/packages/e3/e8/b3212641ee2718d556df0f23f78de8303f068fe29cdaa7a91018849582fe/PyYAML-5.1.2.tar.gz]
Path to dependency file: cortx-ha/jenkins/pyinstaller/v1/requirements.txt
Path to vulnerable library: cortx-ha/jenkins/pyinstaller/v1/requirements.txt,cortx-ha/jenkins/pyinstaller/v2/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 489a85b33aee06bc85dc7f2b7c71262cada47dd9
Found in base branch: main
Vulnerability Details
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Publish Date: 2021-02-09
URL: CVE-2020-14343
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343]
Release Date: 2021-02-09
Fix Resolution: PyYAML - 5.4
⛑️ Automatic Remediation is available for this issue
The text was updated successfully, but these errors were encountered: