Uploaded image for project: 'TrueNAS'
  1. TrueNAS
  2. NAS-103056

Update py37-yaml to 4.1 for CVE-2017-18342

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Engineering Closed (View Workflow)
    • Priority: Low
    • Resolution: Not Applicable
    • Affects Version/s: None
    • Fix Version/s: N/A
    • Component/s: None
    • Labels:

      Description

      Running a recent 11.3 nightly, the only pre-2019 CVE mentioned by pkg audit is this one:

       

      py37-yaml-3.13 is vulnerable:
      py-yaml -- arbitrary code execution
      CVE: CVE-2017-18342
      WWW: https://vuxml.FreeBSD.org/freebsd/f6ea18bb-65b9-11e9-8b31-002590045d9c.html

       

      Even if it's not exploitable, it being 2 years old just doesn't look good. If some newbie is evaluating FreeNAS and runs pkg audit, it would look much better to see only 2019 results.

        Attachments

          Attachments

            JEditor

              Activity

                People

                Assignee:
                releng Triage Team
                Reporter:
                seanm Sean McBride
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: