[Openstack-security] [Bug 1586079] Fix merged to murano-dashboard (stable/mitaka)

OpenStack Infra 1586079 at bugs.launchpad.net
Thu Jun 23 17:25:25 UTC 2016 

Reviewed:  https://review.openstack.org/333439
Committed: https://git.openstack.org/cgit/openstack/murano-dashboard/commit/?id=338989020cfd2f4b16a71f7da9a788d668502c9e
Submitter: Jenkins
Branch:    stable/mitaka

commit 338989020cfd2f4b16a71f7da9a788d668502c9e
Author: Kirill Zaitsev <kzaitsev at mirantis.com>
Date:   Fri May 27 00:11:28 2016 +0300

    Inherit custom yaml Loader from yaml.SafeLoader
    
    Before this patch yaql-enabled yaml Loader was inherited from yaml.Loader, that
    potentially allows creating arbitrary python objects from specifically
    formatted yaml tags. This could have happened whenever UI definitions of
    the package were processed.
    With this change yaql yaml-Loader no longer allows creating custom python objects.
    
    Change-Id: I4fe38aa7e0fc567211ab872c7e1f8e81dbc3e765
    Closes-Bug: #1586079

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1586079

Title:
  YaqlYamlLoader inherits from YamlLoader

Status in Murano:
  Fix Released
Status in Murano kilo series:
  Won't Fix
Status in Murano liberty series:
  Fix Committed
Status in Murano mitaka series:
  Fix Committed
Status in Murano newton series:
  Fix Released

Bug description:
  This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
  -------------------------------------------------------------------------

  YaqlYamlLoader inherits from YamlLoader, meaning that it is possible
  to use extended unsafe tags in yaml files
  http://pyyaml.org/wiki/PyYAMLDocumentation#YAMLtagsandPythontypes

  Both dashboard, engine/api seem to be vulnerable.

To manage notifications about this bug go to:
https://bugs.launchpad.net/murano/+bug/1586079/+subscriptions

More information about the Openstack-security mailing list