Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 389317 (CVE-2011-4103) - <dev-python/django-piston-0.2.3: unsafe yaml.load method (CVE-2011-4103)
Summary: <dev-python/django-piston-0.2.3: unsafe yaml.load method (CVE-2011-4103)
Alias: CVE-2011-4103
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa]
Depends on:
Reported: 2011-11-02 11:46 UTC by Sean Amoss (RETIRED)
Modified: 2011-12-11 17:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2011-11-02 11:46:56 UTC
From the upstream advisory at $URL:

"Piston and Tastypie, two popular REST API frameworks for Django, today issued security releases for a remote code execution vulnerability. Users of these frameworks should upgrade immediately.

Users of Piston should upgrade to version 0.2.3 or; Tastypie users should upgrade to version 0.9.10.

It was discovered that both Piston and Tastypie share a similar vulnerability with respect to their de-serialization of YAML post data. Both Piston and Tastypie used the yaml.load method, which is unsafe. In certain circumstances this could be used to allow remote execution of arbitrary code. The updated versions, released today, correctly use the yaml.safe_load method, which prevents remote code execution. Servers without the yaml module installed are not affected. Regardless, we recommend that all users of Piston or Tastypie upgrade immediately."
Comment 1 Mike Gilbert gentoo-dev 2011-12-11 07:13:30 UTC
dev-python/django-piston-0.2.3 is now in the tree.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-12-11 17:07:33 UTC
Thanks, Mike. Closing noglsa for ~arch only package.