public/pysim
1
0
Fork 1
mirror of https://gitea.osmocom.org/sim-card/pysim.git synced 2026-05-07 14:21:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

requirements: ensure safe version of PyYAML >= 5.4 (CVE-2020-1747)

Browse Source 
PyYAML versions 5.1–5.3.1 are vulnerable to CVE-2020-1747, which allows
arbitrary code execution through yaml.FullLoader. While PyYAML 5.4+
patches this, the dependency specification (pyyaml >= 5.1) doesn't
guarantee a safe version. Let's increase the requirement to version
5.4 to ensure a safe version of is used.

This patch is based on suggestions from:
"YanTong C <chyeyantong03@gmail.com>"

Change-Id: I901c76c59e9c1bab030eab81038e04a475b32510
This commit is contained in:
Philipp Maier
2026-04-15 14:14:35 +02:00
committed by dexter
parent 816b31eb07
commit c50f4b4a02
3 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -97,7 +97,7 @@ Please install the following dependencies:
- pyscard - pyscard
- pyserial - pyserial
- pytlv - pytlv
- pyyaml >= 5.1 - pyyaml >= 5.4
- smpp.pdu (from `github.com/hologram-io/smpp.pdu`) - smpp.pdu (from `github.com/hologram-io/smpp.pdu`)
- termcolor - termcolor

2
requirements.txt
View File

@@ -6,7 +6,7 @@ jsonpath-ng
construct>=2.10.70 construct>=2.10.70
bidict bidict
pyosmocom>=0.0.12 pyosmocom>=0.0.12
pyyaml>=5.1 pyyaml>=5.4
termcolor termcolor
colorlog colorlog
pycryptodomex pycryptodomex

2
setup.py
View File

@@ -26,7 +26,7 @@ setup(
"construct >= 2.10.70", "construct >= 2.10.70",
"bidict", "bidict",
"pyosmocom >= 0.0.12", "pyosmocom >= 0.0.12",
"pyyaml >= 5.1", "pyyaml >= 5.4",
"termcolor", "termcolor",
"colorlog", "colorlog",
"pycryptodomex", "pycryptodomex",