CVE-2019-20477

Priority
Description
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and
load_all functions because of a class deserialization issue, e.g., Popen is
a class in the subprocess module. NOTE: this issue exists because of an
incomplete fix for CVE-2017-18342.
Notes
mdeslaurCVE-2017-18342 resulted in the load() function being
deprecated in 5.1+ in eoan and later. It did not get fixed in
previous release because of compatibility issues. This CVE
therefore only really applies to eoan and later.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not present)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (5.3-1ubuntu2)
Ubuntu 20.10 (Groovy Gorilla):not-affected (5.3-1ubuntu2)
More Information

Updated: 2020-09-10 06:30:38 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)