From c50f4b4a0222a964710ce3124a66fe13c804be65 Mon Sep 17 00:00:00 2001 From: Philipp Maier Date: Wed, 15 Apr 2026 14:14:35 +0200 Subject: [PATCH] requirements: ensure safe version of PyYAML >= 5.4 (CVE-2020-1747) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PyYAML versions 5.1–5.3.1 are vulnerable to CVE-2020-1747, which allows arbitrary code execution through yaml.FullLoader. While PyYAML 5.4+ patches this, the dependency specification (pyyaml >= 5.1) doesn't guarantee a safe version. Let's increase the requirement to version 5.4 to ensure a safe version of is used. This patch is based on suggestions from: "YanTong C " Change-Id: I901c76c59e9c1bab030eab81038e04a475b32510 --- README.md | 2 +- requirements.txt | 2 +- setup.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 87733567..7768b63e 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ Please install the following dependencies: - pyscard - pyserial - pytlv - - pyyaml >= 5.1 + - pyyaml >= 5.4 - smpp.pdu (from `github.com/hologram-io/smpp.pdu`) - termcolor diff --git a/requirements.txt b/requirements.txt index 4ceec452..9088f16f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,7 +6,7 @@ jsonpath-ng construct>=2.10.70 bidict pyosmocom>=0.0.12 -pyyaml>=5.1 +pyyaml>=5.4 termcolor colorlog pycryptodomex diff --git a/setup.py b/setup.py index be811225..614d80ba 100644 --- a/setup.py +++ b/setup.py @@ -26,7 +26,7 @@ setup( "construct >= 2.10.70", "bidict", "pyosmocom >= 0.0.12", - "pyyaml >= 5.1", + "pyyaml >= 5.4", "termcolor", "colorlog", "pycryptodomex",