Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump pyyaml from 5.3.1 to 5.4.1 #6511

Merged
merged 3 commits into from
Jan 28, 2021
Merged

Bump pyyaml from 5.3.1 to 5.4.1 #6511

merged 3 commits into from
Jan 28, 2021

Conversation

qiluo-msft
Copy link
Collaborator

- Why I did it
RCE resolved in new version yaml/pyyaml#420

- How I did it

- How to verify it

- Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

jleveque
jleveque suggested changes Jan 21, 2021
View reviewed changes
Copy link
Contributor

@jleveque jleveque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As part of this PR, can you please also pin the PyYAML version in:

  • src/sonic-ctrmgrd/setup.py
  • src/sonic-py-common/setup.py

And determine if we still need to explicitly install it in dockers/docker-snmp/Dockerfile.j2?

sonic-slave-buster/Dockerfile.j2 Show resolved Hide resolved
sonic-slave-stretch/Dockerfile.j2 Outdated Show resolved Hide resolved
@qiluo-msft
Copy link
Collaborator Author

Both are good now. Even the dependency is not available in the build environment, the downloaded latest version is good. If they need any specific version, they need to pin it.

In reply to: 572984163 [](ancestors = 572984163)

@qiluo-msft
Copy link
Collaborator Author

Retest baseimage please

@jleveque jleveque added the dependencies Pull requests that update a dependency file label Jan 28, 2021
@qiluo-msft qiluo-msft merged commit 1c8d5ec into sonic-net:master Jan 28, 2021
@qiluo-msft qiluo-msft deleted the qiluo/bumppyyaml branch January 28, 2021 18:47
lguohan pushed a commit that referenced this pull request Feb 3, 2021
@qiluo-msft @lguohan
Bump pyyaml from 5.3.1 to 5.4.1 (#6511)
8f8520e 
RCE resolved in new version yaml/pyyaml#420
deran1980 pushed a commit to deran1980/sonic-buildimage that referenced this pull request Feb 4, 2021
@qiluo-msft @deran1980
Bump pyyaml from 5.3.1 to 5.4.1 (sonic-net#6511)
b1b3f9b 
RCE resolved in new version yaml/pyyaml#420
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jleveque jleveque jleveque approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file Included in 202012 Branch Request for 202012 Branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@qiluo-msft @jleveque @daall