#55 modulemd.load(s)_all is unsafe
Closed: Fixed 2 years ago Opened 2 years ago by puiterwijk.

The loads_all function in modulemd/__init__.py is using yaml.load_all, which is really insecure (it allows for random code execution).
This should probably be replace with the yaml.safe_load_all call.

Metadata Update from @psabata:
- Issue assigned to psabata

2 years ago

This has been assigned CVE-2017-1002157.

Fixed in 1.3.2. Fedora updates will be issued shortly.

Metadata Update from @psabata:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @puiterwijk:
- Issue private status set to: False (was: True)

6 months ago

Login to comment on this ticket.