CVE-2017-18342 status

[Jwomers]

Hi, I am maintaining the safety database at PyUp, and I want to get clarity on which version of PyYAML fixes CVE-2017-18342? I know 4.1 was released and then retracted from PyPi.

Does 3.13 fix CVE-2017-18342?

Thanks

[Kobold]

I haven't read the code, but it seems like 3.13 does not fix the CVE. The CVE was regarding the default-unsafe load method, and the change that fixed it (PR #74) was only merged in 4.1 onward, and has since been reverted from the main branch that 4.2 will be cut from.

Issue #193 has the most clarity on the release plan, but it's unclear what the timeline for having #74 (that is, a fix for the CVE) re-merged is. It might be a while before there's a fix for the CVE.

Thanks again for the work you do with PyUp @Jwomers — I would say this is a tricky situation for a safety database. The CVE is not a new thing, it merely got unsafe defaults that have been present since 2006 flagged. Users of PyYAML need to know that they're using a potentially dangerous package, but at the same time, this isn't shocking to anyone who has some familiarity with PyYAML and its sharp edges.

[ingydotnet]

@Kobold's assessment is spot on.

3.13 only addresses PyYAML working with Python 3.7.

The next release (almost certainly versioned as 4.2) has high hopes of including a fix for this issue.

[ljvmiranda921]

Hi, thanks for the pyyaml project. It has been very helpful!
Any updates on this bug? Thank you very much for your time and effort!