Date: Tue, 26 Jun 2018 21:18:39 -0400 From: Alex Gaynor <alex.gaynor@...il.com> To: oss-security@...ts.openwall.com Subject: CVE for PyYAML RCE-factory API In releases of PyYAML < 4.1 using the `yaml.load()` API on untrusted input could lead to arbitrary code execution. Instead, users were advised to use the `yaml.safe_load()` API. Starting with the PyYAML 4.1 release, the `yaml.load()` API has been made safe-by-default. Users wishing to opt into the old behavior and produce RCEs (or who trust their input) can use the `yaml.danger_load`. Because of the degree to which this API presented a footgun, I would like to request a CVE for it. Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ