dexter has uploaded this change for review.

View Change

requirements: ensure safe version of PyYAML >= 5.4 (CVE-2020-1747)

PyYAML versions 5.1–5.3.1 are vulnerable to CVE-2020-1747, which allows
arbitrary code execution through yaml.FullLoader. While PyYAML 5.4+
patches this, the dependency specification (pyyaml >= 5.1) doesn't
guarantee a safe version. Let's increase the requirement to version
5.4 to ensure a safe version of is used.

This patch is based on suggestions from:
"YanTong C <chyeyantong03@gmail.com>"

Change-Id: I901c76c59e9c1bab030eab81038e04a475b32510
---
M README.md
M requirements.txt
M setup.py
3 files changed, 3 insertions(+), 3 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/26/42626/1
diff --git a/README.md b/README.md
index 8773356..7768b63 100644
--- a/README.md
+++ b/README.md
@@ -97,7 +97,7 @@
  - pyscard
  - pyserial
  - pytlv
- - pyyaml >= 5.1
+ - pyyaml >= 5.4
  - smpp.pdu (from `github.com/hologram-io/smpp.pdu`)
  - termcolor
 
diff --git a/requirements.txt b/requirements.txt
index 4ceec45..9088f16 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,7 +6,7 @@
 construct>=2.10.70
 bidict
 pyosmocom>=0.0.12
-pyyaml>=5.1
+pyyaml>=5.4
 termcolor
 colorlog
 pycryptodomex
diff --git a/setup.py b/setup.py
index be81122..614d80b 100644
--- a/setup.py
+++ b/setup.py
@@ -26,7 +26,7 @@
         "construct >= 2.10.70",
         "bidict",
         "pyosmocom >= 0.0.12",
-        "pyyaml >= 5.1",
+        "pyyaml >= 5.4",
         "termcolor",
         "colorlog",
         "pycryptodomex",

To view, visit change 42626. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: pysim
Gerrit-Branch: master
Gerrit-Change-Id: I901c76c59e9c1bab030eab81038e04a475b32510
Gerrit-Change-Number: 42626
Gerrit-PatchSet: 1
Gerrit-Owner: dexter <pmaier@sysmocom.de>