[Git][security-tracker-team/security-tracker][master] CVE-2020-1747/pyyaml: mark as n/a on buster and older

[Emilio Pozuelo Monfort]

Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
37d9c23a by Emilio Pozuelo Monfort at 2020-03-03T12:54:14+01:00
CVE-2020-1747/pyyaml: mark as n/a on buster and older

These versions don't have FullLoader, only SafeLoader and Loader.
Loader is thus an unsafe one, and shouldn't be trusted to load
untrusted content, thus it doesn't need to be fixed and could break
programs that make use of it to load trusted yaml with special methods.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -20396,6 +20396,9 @@ CVE-2020-1748
 CVE-2020-1747 [arbitrary command execution through python/object/new when FullLoader is used]
 	RESERVED
 	- pyyaml <unfixed> (bug #953013)
+	[buster] - pyyaml <not-affected> (Loader/Constructor classes are unsafe in this version)
+	[stretch] - pyyaml <not-affected> (Loader/Constructor classes are unsafe in this version)
+	[jessie] - pyyaml <not-affected> (Loader/Constructor classes are unsafe in this version)
 	NOTE: https://github.com/yaml/pyyaml/pull/386
 CVE-2020-1746
 	RESERVED



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37d9c23a9253a598e6467960ed578def2a8d4db4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37d9c23a9253a598e6467960ed578def2a8d4db4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200303/22ae09ff/attachment.html>