yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1849640] Re: security scan reported insecure yaml load method usage in latest cloud-init code

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Chad Smith <1849640@xxxxxxxxxxxxxxxxxx>
Date: Thu, 19 Dec 2019 22:58:42 -0000
Reply-to: Bug 1849640 <1849640@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug is believed to be fixed in cloud-init in version 19.2-70. If
this is still a problem for you, please make a comment and set the state
back to New

Thank you.

** Changed in: cloud-init
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1849640

Title:
  security scan reported  insecure yaml load method usage in latest
  cloud-init code

Status in cloud-init:
  Fix Released

Bug description:
  security scan reported insecure yaml load method usage in latest
  cloud-init code

  PyYAML's yaml.load() method is unsafe and can execute code in yaml
  files.we can use safe_load() for safer option.

  Here is the lines where it is used in current code.

  1.cloudinit\cmd\devel\net_convert.py at line  81
  yaml.load(net_data)

  
  2. \cloudinit\safeyaml.py at line  28
  yaml.load(blob,Loader=_CustomSafeLoader)

  3. \cloudinit\util.py at line  950 
  converted = safeyaml.load(blob)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1849640/+subscriptions