Headline
CVE-2017-1002157: Issue #55: modulemd.load(s)_all is unsafe - modulemd
modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution.
The loads_all function in modulemd/init.py is using yaml.load_all, which is really insecure (it allows for random code execution).
This should probably be replace with the yaml.safe_load_all call.
Metadata Update from @psabata:
- Issue assigned to psabata
5 years ago
This has been assigned CVE-2017-1002157.
Fixed in 1.3.2. Fedora updates will be issued shortly.
Metadata Update from @psabata:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
5 years ago
Metadata Update from @puiterwijk:
- Issue private status set to: False (was: True)
3 years ago
Login to comment on this ticket.