dexter has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/42626?usp=email )

Change subject: requirements: ensure safe version of PyYAML >= 5.4 (CVE-2020-1747) ......................................................................

requirements: ensure safe version of PyYAML >= 5.4 (CVE-2020-1747)

PyYAML versions 5.1–5.3.1 are vulnerable to CVE-2020-1747, which allows arbitrary code execution through yaml.FullLoader. While PyYAML 5.4+ patches this, the dependency specification (pyyaml >= 5.1) doesn't guarantee a safe version. Let's increase the requirement to version 5.4 to ensure a safe version of is used.

This patch is based on suggestions from: "YanTong C chyeyantong03@gmail.com"

Change-Id: I901c76c59e9c1bab030eab81038e04a475b32510 --- M README.md M requirements.txt M setup.py 3 files changed, 3 insertions(+), 3 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/26/42626/1

diff --git a/README.md b/README.md index 8773356..7768b63 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ - pyscard - pyserial - pytlv - - pyyaml >= 5.1 + - pyyaml >= 5.4 - smpp.pdu (from `github.com/hologram-io/smpp.pdu`) - termcolor

diff --git a/requirements.txt b/requirements.txt index 4ceec45..9088f16 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,7 +6,7 @@ construct>=2.10.70 bidict pyosmocom>=0.0.12 -pyyaml>=5.1 +pyyaml>=5.4 termcolor colorlog pycryptodomex diff --git a/setup.py b/setup.py index be81122..614d80b 100644 --- a/setup.py +++ b/setup.py @@ -26,7 +26,7 @@ "construct >= 2.10.70", "bidict", "pyosmocom >= 0.0.12", - "pyyaml >= 5.1", + "pyyaml >= 5.4", "termcolor", "colorlog", "pycryptodomex",