Bug#933919: src:lavacli: Unsafe use of yaml.load()
On Thursday, September 19, 2019 2:54:50 AM EDT Remi Duraffort wrote: > Hello, > > looking at the failing CI jobs at > https://ci.debian.net/packages/l/lavacli/unstable/amd64/ (more precisely > https://ci.debian.net/data/autopkgtest/unstable/amd64/l/lavacli/2666918/log. > gz) we can see that the failure is due to a change in python3-yaml package > that break the lavacli unit tests (change in the dumper output). > > This issue has been reported in #934269 and fixed by > https://git.lavasoftware.org/lava/lavacli/commit/1d374ccba0dc291e8d745ec90ff > a8b4a32fb11af > > So we should close this issue (#933919) and wait for the next release > (coming in next week) to close #934269. Since the autopkgtest is failing, the severity of normal is wrong for 934269. I think if you bump it's severity to reflect the current situation, that's fine. Scott K signature.asc Description: This is a digitally signed message part.
Bug#933919: src:lavacli: Unsafe use of yaml.load()
Hello, looking at the failing CI jobs at https://ci.debian.net/packages/l/lavacli/unstable/amd64/ (more precisely https://ci.debian.net/data/autopkgtest/unstable/amd64/l/lavacli/2666918/log.gz) we can see that the failure is due to a change in python3-yaml package that break the lavacli unit tests (change in the dumper output). This issue has been reported in #934269 and fixed by https://git.lavasoftware.org/lava/lavacli/commit/1d374ccba0dc291e8d745ec90ffa8b4a32fb11af So we should close this issue (#933919) and wait for the next release (coming in next week) to close #934269. Rgds -- Rémi Duraffort
Bug#933919: src:lavacli: Unsafe use of yaml.load()
On Mon, 05 Aug 2019 01:31:12 -0400 Scott Kitterman wrote: > Package: src:lavacli > Version: 0.9.7-1 > Severity: grave > Tags: security > Justification: user security hole > > The new version of pyyaml no longer allows use of yaml.load() without a > loader being specifed. This raises a deprecation warning which has > caused and autopkgtest failure on this package. These are generally > trivial to fix, see the upstream guidance [1]. > > Scott K > > [1] https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation > > Hello, this should be already fixed in the version your are mentioning (v0.9.7). I looked at the code again and can't find any places where yaml.load is used without a loader. Could you point me at the CI job that is raising this warning? Thanks -- Rémi Duraffort
Bug#933919: src:lavacli: Unsafe use of yaml.load()
On Mon, Aug 05, 2019 at 01:31:12AM -0400, Scott Kitterman wrote: >Package: src:lavacli >Version: 0.9.7-1 >Severity: grave >Tags: security >Justification: user security hole > >The new version of pyyaml no longer allows use of yaml.load() without a >loader being specifed. This raises a deprecation warning which has >caused and autopkgtest failure on this package. These are generally >trivial to fix, see the upstream guidance [1]. > >Scott K ACK, fix coming shortly upstream. -- Steve McIntyre, Cambridge, UK.st...@einval.com Getting a SCSI chain working is perfectly simple if you remember that there must be exactly three terminations: one on one end of the cable, one on the far end, and the goat, terminated over the SCSI chain with a silver-handled knife whilst burning *black* candles. --- Anthony DeBoer
Bug#933919: src:lavacli: Unsafe use of yaml.load()
Package: src:lavacli Version: 0.9.7-1 Severity: grave Tags: security Justification: user security hole The new version of pyyaml no longer allows use of yaml.load() without a loader being specifed. This raises a deprecation warning which has caused and autopkgtest failure on this package. These are generally trivial to fix, see the upstream guidance [1]. Scott K [1] https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
