python36-PyYAML-5.4.1-1.6 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11210-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python36-PyYAML-5.4.1-1.6 on GA media These are all security issues fixed in the python36-PyYAML-5.4.1-1.6 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11210 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-18342/ SUSE CVE CVE-2017-18342 page https://www.suse.com/security/cve/CVE-2020-14343/ SUSE CVE CVE-2020-14343 page openSUSE Tumbleweed python36-PyYAML-5.4.1-1.6 python38-PyYAML-5.4.1-1.6 python39-PyYAML-5.4.1-1.6 python36-PyYAML-5.4.1-1.6 as a component of openSUSE Tumbleweed python38-PyYAML-5.4.1-1.6 as a component of openSUSE Tumbleweed python39-PyYAML-5.4.1-1.6 as a component of openSUSE Tumbleweed In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function. CVE-2017-18342 openSUSE Tumbleweed:python36-PyYAML-5.4.1-1.6 openSUSE Tumbleweed:python38-PyYAML-5.4.1-1.6 openSUSE Tumbleweed:python39-PyYAML-5.4.1-1.6 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-18342.html CVE-2017-18342 https://bugzilla.suse.com/1099308 SUSE Bug 1099308 https://bugzilla.suse.com/1164453 SUSE Bug 1164453 A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. CVE-2020-14343 openSUSE Tumbleweed:python36-PyYAML-5.4.1-1.6 openSUSE Tumbleweed:python38-PyYAML-5.4.1-1.6 openSUSE Tumbleweed:python39-PyYAML-5.4.1-1.6 important 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14343.html CVE-2020-14343 https://bugzilla.suse.com/1174514 SUSE Bug 1174514