yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #81079
[Bug 1849640] Re: security scan reported insecure yaml load method usage in latest cloud-init code
This bug is believed to be fixed in cloud-init in version 19.2-70. If
this is still a problem for you, please make a comment and set the state
back to New
Thank you.
** Changed in: cloud-init
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1849640
Title:
security scan reported insecure yaml load method usage in latest
cloud-init code
Status in cloud-init:
Fix Released
Bug description:
security scan reported insecure yaml load method usage in latest
cloud-init code
PyYAML's yaml.load() method is unsafe and can execute code in yaml
files.we can use safe_load() for safer option.
Here is the lines where it is used in current code.
1.cloudinit\cmd\devel\net_convert.py at line 81
yaml.load(net_data)
2. \cloudinit\safeyaml.py at line 28
yaml.load(blob,Loader=_CustomSafeLoader)
3. \cloudinit\util.py at line 950
converted = safeyaml.load(blob)
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1849640/+subscriptions