Re: security upate: py-yaml
Oh, I forgot to check WANTLIB. OK sthen@ for your diff. -- Sent from a phone, apologies for poor formatting. On 31 March 2020 06:34:53 Remi Pointel wrote: On 2020-03-30 23:42, Stuart Henderson wrote: We are currently quite behind on 5.1.1 so there are a number of other things fixed in the meantime, but this includes a code execution fix. Nothing looks incompatible in changelog, I've tested runtime with beets, ansible, urlwatch and built a selection of the other ports depending on it. OK? Hello, I sent a similar diff to pea few days ago. The only difference is the WANTLIB modification, when I ran 'make port-lib-depends-check': Extra: yaml.0 WANTLIB += yaml-0 So I changed yaml to yaml-0. Do you have the same result? Cheers, Remi.
Re: security upate: py-yaml
On 2020-03-30 23:42, Stuart Henderson wrote: We are currently quite behind on 5.1.1 so there are a number of other things fixed in the meantime, but this includes a code execution fix. Nothing looks incompatible in changelog, I've tested runtime with beets, ansible, urlwatch and built a selection of the other ports depending on it. OK? Hello, I sent a similar diff to pea few days ago. The only difference is the WANTLIB modification, when I ran 'make port-lib-depends-check': Extra: yaml.0 WANTLIB += yaml-0 So I changed yaml to yaml-0. Do you have the same result? Cheers, Remi. Index: Makefile === RCS file: /cvs/ports/textproc/py-yaml/Makefile,v retrieving revision 1.20 diff -u -p -u -p -r1.20 Makefile --- Makefile 23 Jun 2019 16:28:30 - 1.20 +++ Makefile 31 Mar 2020 05:31:57 - @@ -2,7 +2,7 @@ COMMENT= YAML parser and emitter in Python -MODPY_EGG_VERSION=5.1.1 +MODPY_EGG_VERSION=5.3.1 DISTNAME= PyYAML-${MODPY_EGG_VERSION} PKGNAME= py-yaml-${MODPY_EGG_VERSION} CATEGORIES= textproc @@ -14,7 +14,7 @@ MAINTAINER= Pierre-Emmanuel Andre
Re: security upate: py-yaml
On Mon, Mar 30, 2020 at 10:42:20PM +0100, Stuart Henderson wrote: > We are currently quite behind on 5.1.1 so there are a number of other things > fixed in the meantime, but this includes a code execution fix. Nothing looks > incompatible in changelog, I've tested runtime with beets, ansible, urlwatch > and built a selection of the other ports depending on it. OK? All tests pass for me on sparc64 (both FLAVORs). ok kmos --Kurt > 5.3.1 (2020-03-18) > > * https://github.com/yaml/pyyaml/pull/386 -- Prevents arbitrary code > execution during python/object/new constructor > > 5.3 (2020-01-06) > > * https://github.com/yaml/pyyaml/pull/290 -- Use `is` instead of equality for > comparing with `None` > * https://github.com/yaml/pyyaml/pull/270 -- fix typos and stylistic nit > * https://github.com/yaml/pyyaml/pull/309 -- Fix up small typo > * https://github.com/yaml/pyyaml/pull/161 -- Fix handling of __slots__ > * https://github.com/yaml/pyyaml/pull/358 -- Allow calling > add_multi_constructor with None > * https://github.com/yaml/pyyaml/pull/285 -- Add use of safe_load() function > in README > * https://github.com/yaml/pyyaml/pull/351 -- Fix reader for Unicode code > points over 0x > * https://github.com/yaml/pyyaml/pull/360 -- Enable certain unicode tests > when maxunicode not > 0x > * https://github.com/yaml/pyyaml/pull/359 -- Use full_load in yaml-highlight > example > * https://github.com/yaml/pyyaml/pull/244 -- Document that PyYAML is > implemented with Cython > * https://github.com/yaml/pyyaml/pull/329 -- Fix for Python 3.10 > * https://github.com/yaml/pyyaml/pull/310 -- increase size of index, line, > and column fields > * https://github.com/yaml/pyyaml/pull/260 -- remove some unused imports > * https://github.com/yaml/pyyaml/pull/163 -- Create timezone-aware datetimes > when parsed as such > * https://github.com/yaml/pyyaml/pull/363 -- Add tests for timezone > > 5.2 (2019-12-02) > -- > > * Repair incompatibilities introduced with 5.1. The default Loader was > changed, > but several methods like add_constructor still used the old default > https://github.com/yaml/pyyaml/pull/279 -- A more flexible fix for custom > tag constructors > https://github.com/yaml/pyyaml/pull/287 -- Change default loader for > yaml.add_constructor > https://github.com/yaml/pyyaml/pull/305 -- Change default loader for > add_implicit_resolver, add_path_resolver > * Make FullLoader safer by removing python/object/apply from the default > FullLoader > https://github.com/yaml/pyyaml/pull/347 -- Move constructor for > object/apply to UnsafeConstructor > * Fix bug introduced in 5.1 where quoting went wrong on systems with > sys.maxunicode <= 0x > https://github.com/yaml/pyyaml/pull/276 -- Fix logic for quoting special > characters > * Other PRs: > https://github.com/yaml/pyyaml/pull/280 -- Update CHANGES for 5.1 > > 5.1.2 (2019-07-30) > -- > > * Re-release of 5.1 with regenerated Cython sources to build properly for > Python 3.8b2+ > > > > > > Index: Makefile > === > RCS file: /cvs/ports/textproc/py-yaml/Makefile,v > retrieving revision 1.20 > diff -u -p -r1.20 Makefile > --- Makefile 23 Jun 2019 16:28:30 - 1.20 > +++ Makefile 30 Mar 2020 21:26:23 - > @@ -2,7 +2,7 @@ > > COMMENT= YAML parser and emitter in Python > > -MODPY_EGG_VERSION=5.1.1 > +MODPY_EGG_VERSION=5.3.1 > DISTNAME=PyYAML-${MODPY_EGG_VERSION} > PKGNAME= py-yaml-${MODPY_EGG_VERSION} > CATEGORIES= textproc > Index: distinfo > === > RCS file: /cvs/ports/textproc/py-yaml/distinfo,v > retrieving revision 1.7 > diff -u -p -r1.7 distinfo > --- distinfo 23 Jun 2019 16:28:30 - 1.7 > +++ distinfo 30 Mar 2020 21:26:23 - > @@ -1,2 +1,2 @@ > -SHA256 (PyYAML-5.1.1.tar.gz) = tLtNP14jJCXiXdohwHDOBRaKeGrJ7aQ3aKt/OsJ3CVU= > -SIZE (PyYAML-5.1.1.tar.gz) = 274442 > +SHA256 (PyYAML-5.3.1.tar.gz) = uOrHUsXhTT7KDm3ZGZzWJ1GMtewGrdDenTK67ub+ZF0= > +SIZE (PyYAML-5.3.1.tar.gz) = 269377 > Index: pkg/PLIST > === > RCS file: /cvs/ports/textproc/py-yaml/pkg/PLIST,v > retrieving revision 1.2 > diff -u -p -r1.2 PLIST > --- pkg/PLIST 9 Dec 2015 18:26:47 - 1.2 > +++ pkg/PLIST 30 Mar 2020 21:26:23 - > @@ -1,6 +1,6 @@ > @comment $OpenBSD: PLIST,v 1.2 2015/12/09 18:26:47 jca Exp $ > > lib/python${MODPY_VERSION}/site-packages/PyYAML-${MODPY_EGG_VERSION}-py${MODPY_VERSION}.egg-info > -lib/python${MODPY_VERSION}/site-packages/_yaml.so > +@so lib/python${MODPY_VERSION}/site-packages/_yaml.so > lib/python${MODPY_VERSION}/site-packages/yaml/ > lib/python${MODPY_VERSION}/site-packages/yaml/__init__.py > > ${MODPY_COMMENT}lib/python${MODPY_VERSION}/site-packages/yaml/${MODPY_PYCACHE}/ >
security upate: py-yaml
We are currently quite behind on 5.1.1 so there are a number of other things fixed in the meantime, but this includes a code execution fix. Nothing looks incompatible in changelog, I've tested runtime with beets, ansible, urlwatch and built a selection of the other ports depending on it. OK? 5.3.1 (2020-03-18) * https://github.com/yaml/pyyaml/pull/386 -- Prevents arbitrary code execution during python/object/new constructor 5.3 (2020-01-06) * https://github.com/yaml/pyyaml/pull/290 -- Use `is` instead of equality for comparing with `None` * https://github.com/yaml/pyyaml/pull/270 -- fix typos and stylistic nit * https://github.com/yaml/pyyaml/pull/309 -- Fix up small typo * https://github.com/yaml/pyyaml/pull/161 -- Fix handling of __slots__ * https://github.com/yaml/pyyaml/pull/358 -- Allow calling add_multi_constructor with None * https://github.com/yaml/pyyaml/pull/285 -- Add use of safe_load() function in README * https://github.com/yaml/pyyaml/pull/351 -- Fix reader for Unicode code points over 0x * https://github.com/yaml/pyyaml/pull/360 -- Enable certain unicode tests when maxunicode not > 0x * https://github.com/yaml/pyyaml/pull/359 -- Use full_load in yaml-highlight example * https://github.com/yaml/pyyaml/pull/244 -- Document that PyYAML is implemented with Cython * https://github.com/yaml/pyyaml/pull/329 -- Fix for Python 3.10 * https://github.com/yaml/pyyaml/pull/310 -- increase size of index, line, and column fields * https://github.com/yaml/pyyaml/pull/260 -- remove some unused imports * https://github.com/yaml/pyyaml/pull/163 -- Create timezone-aware datetimes when parsed as such * https://github.com/yaml/pyyaml/pull/363 -- Add tests for timezone 5.2 (2019-12-02) -- * Repair incompatibilities introduced with 5.1. The default Loader was changed, but several methods like add_constructor still used the old default https://github.com/yaml/pyyaml/pull/279 -- A more flexible fix for custom tag constructors https://github.com/yaml/pyyaml/pull/287 -- Change default loader for yaml.add_constructor https://github.com/yaml/pyyaml/pull/305 -- Change default loader for add_implicit_resolver, add_path_resolver * Make FullLoader safer by removing python/object/apply from the default FullLoader https://github.com/yaml/pyyaml/pull/347 -- Move constructor for object/apply to UnsafeConstructor * Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0x https://github.com/yaml/pyyaml/pull/276 -- Fix logic for quoting special characters * Other PRs: https://github.com/yaml/pyyaml/pull/280 -- Update CHANGES for 5.1 5.1.2 (2019-07-30) -- * Re-release of 5.1 with regenerated Cython sources to build properly for Python 3.8b2+ Index: Makefile === RCS file: /cvs/ports/textproc/py-yaml/Makefile,v retrieving revision 1.20 diff -u -p -r1.20 Makefile --- Makefile23 Jun 2019 16:28:30 - 1.20 +++ Makefile30 Mar 2020 21:26:23 - @@ -2,7 +2,7 @@ COMMENT= YAML parser and emitter in Python -MODPY_EGG_VERSION=5.1.1 +MODPY_EGG_VERSION=5.3.1 DISTNAME= PyYAML-${MODPY_EGG_VERSION} PKGNAME= py-yaml-${MODPY_EGG_VERSION} CATEGORIES=textproc Index: distinfo === RCS file: /cvs/ports/textproc/py-yaml/distinfo,v retrieving revision 1.7 diff -u -p -r1.7 distinfo --- distinfo23 Jun 2019 16:28:30 - 1.7 +++ distinfo30 Mar 2020 21:26:23 - @@ -1,2 +1,2 @@ -SHA256 (PyYAML-5.1.1.tar.gz) = tLtNP14jJCXiXdohwHDOBRaKeGrJ7aQ3aKt/OsJ3CVU= -SIZE (PyYAML-5.1.1.tar.gz) = 274442 +SHA256 (PyYAML-5.3.1.tar.gz) = uOrHUsXhTT7KDm3ZGZzWJ1GMtewGrdDenTK67ub+ZF0= +SIZE (PyYAML-5.3.1.tar.gz) = 269377 Index: pkg/PLIST === RCS file: /cvs/ports/textproc/py-yaml/pkg/PLIST,v retrieving revision 1.2 diff -u -p -r1.2 PLIST --- pkg/PLIST 9 Dec 2015 18:26:47 - 1.2 +++ pkg/PLIST 30 Mar 2020 21:26:23 - @@ -1,6 +1,6 @@ @comment $OpenBSD: PLIST,v 1.2 2015/12/09 18:26:47 jca Exp $ lib/python${MODPY_VERSION}/site-packages/PyYAML-${MODPY_EGG_VERSION}-py${MODPY_VERSION}.egg-info -lib/python${MODPY_VERSION}/site-packages/_yaml.so +@so lib/python${MODPY_VERSION}/site-packages/_yaml.so lib/python${MODPY_VERSION}/site-packages/yaml/ lib/python${MODPY_VERSION}/site-packages/yaml/__init__.py ${MODPY_COMMENT}lib/python${MODPY_VERSION}/site-packages/yaml/${MODPY_PYCACHE}/