CVE-2017-18342

Advisory

Croud 0.3.0 includes a fix for CVE-2017-18342, an arbitrary code execution vulnerability in yaml.load().
https://github.com/crate/croud/commit/821f2ba47285f5b5ad3e2e2782c44f867da931ee

Affected package

Affected versions

Fixed versions

Vulnerability changelog

==================

- SECURITY: prevented arbitrary code execution when loading the config file
(ref. `CVE-2017-18342 <https://nvd.nist.gov/vuln/detail/CVE-2017-18342>`_)

- Fix: Login page needs to be picked according to the env set in current_context.

- Removed `env` subcommand (replaced with `config set --env [prod|env]`)

- Added subcommand `config get` that prints out a specified default config setting

- Added subcommand `config set` that sets a specified default config setting

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342
• https://github.com/yaml/pyyaml/pull/74
• https://github.com/yaml/pyyaml/blob/master/CHANGES
• https://lists.fedoraproject.org/archives/list/[email protected]/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
• https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
• https://github.com/marshmallow-code/apispec/issues/278
• https://github.com/yaml/pyyaml/issues/193
• https://security.gentoo.org/glsa/202003-45