| Message ID | 20200326100404.82191-1-james.hilliard1@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/python-pyyaml: bump to version 5.3.1 | expand |
On Thu, 26 Mar 2020 04:04:04 -0600 James Hilliard <james.hilliard1@gmail.com> wrote: > Signed-off-by: James Hilliard <james.hilliard1@gmail.com> > --- > package/python-pyyaml/python-pyyaml.hash | 6 +++--- > package/python-pyyaml/python-pyyaml.mk | 4 ++-- > 2 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/package/python-pyyaml/python-pyyaml.hash b/package/python-pyyaml/python-pyyaml.hash > index e0d182bcbb..1161ae1021 100644 > --- a/package/python-pyyaml/python-pyyaml.hash > +++ b/package/python-pyyaml/python-pyyaml.hash > @@ -1,5 +1,5 @@ > # md5, sha256 from https://pypi.org/pypi/PyYAML/json > -md5 adbb0d336b509d6472d3b095a0f1cf30 PyYAML-5.3.tar.gz > -sha256 e9f45bd5b92c7974e59bcd2dcc8631a6b6cc380a904725fce7bc08872e691615 PyYAML-5.3.tar.gz > +md5 d3590b85917362e837298e733321962b PyYAML-5.3.1.tar.gz > +sha256 b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d PyYAML-5.3.1.tar.gz > # Locally computed sha256 checksums > -sha256 a2adb9c959b797494a0ef80bdf60e22db2749ee3e0c0908556e3eb548f967c56 LICENSE > +sha256 a2adb9c959b797494a0ef80bdf60e22db2749ee3e0c0908556e3eb548f967c56 LICENSE It was good to update the indentation here... but you forgot to update the hash itself, as the LICENSE file changed! I updated this, explained what the LICENSE file change was in the commit log, and applied. Thanks! Thomas
>>>>> "James" == James Hilliard <james.hilliard1@gmail.com> writes: > Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Can you please mention whenever version bumps have security implications? E.G. looking at the 5.3.1 release the only change is: #386: Prevents arbitrary code execution during python/object/new constructor https://github.com/yaml/pyyaml/pull/386 Which sounds very much like a security bump to me.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: >>>>> "James" == James Hilliard <james.hilliard1@gmail.com> writes: >> Signed-off-by: James Hilliard <james.hilliard1@gmail.com> > Can you please mention whenever version bumps have security > implications? E.G. looking at the 5.3.1 release the only change is: > #386: Prevents arbitrary code execution during python/object/new > constructor > https://github.com/yaml/pyyaml/pull/386 > Which sounds very much like a security bump to me. Committed to 2020.02.x after adding that information, thanks. I didn't backport it to 2019.02.x / 2019.11.x yet, as we need to ensure it doesn't break the version checks in docker-compose.
diff --git a/package/python-pyyaml/python-pyyaml.hash b/package/python-pyyaml/python-pyyaml.hash index e0d182bcbb..1161ae1021 100644 --- a/package/python-pyyaml/python-pyyaml.hash +++ b/package/python-pyyaml/python-pyyaml.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/PyYAML/json -md5 adbb0d336b509d6472d3b095a0f1cf30 PyYAML-5.3.tar.gz -sha256 e9f45bd5b92c7974e59bcd2dcc8631a6b6cc380a904725fce7bc08872e691615 PyYAML-5.3.tar.gz +md5 d3590b85917362e837298e733321962b PyYAML-5.3.1.tar.gz +sha256 b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d PyYAML-5.3.1.tar.gz # Locally computed sha256 checksums -sha256 a2adb9c959b797494a0ef80bdf60e22db2749ee3e0c0908556e3eb548f967c56 LICENSE +sha256 a2adb9c959b797494a0ef80bdf60e22db2749ee3e0c0908556e3eb548f967c56 LICENSE diff --git a/package/python-pyyaml/python-pyyaml.mk b/package/python-pyyaml/python-pyyaml.mk index 5d9246d37c..78506390a4 100644 --- a/package/python-pyyaml/python-pyyaml.mk +++ b/package/python-pyyaml/python-pyyaml.mk @@ -4,9 +4,9 @@ # ################################################################################ -PYTHON_PYYAML_VERSION = 5.3 +PYTHON_PYYAML_VERSION = 5.3.1 PYTHON_PYYAML_SOURCE = PyYAML-$(PYTHON_PYYAML_VERSION).tar.gz -PYTHON_PYYAML_SITE = https://files.pythonhosted.org/packages/3d/d9/ea9816aea31beeadccd03f1f8b625ecf8f645bd66744484d162d84803ce5 +PYTHON_PYYAML_SITE = https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c PYTHON_PYYAML_SETUP_TYPE = distutils PYTHON_PYYAML_LICENSE = MIT PYTHON_PYYAML_LICENSE_FILES = LICENSE
Signed-off-by: James Hilliard <james.hilliard1@gmail.com> --- package/python-pyyaml/python-pyyaml.hash | 6 +++--- package/python-pyyaml/python-pyyaml.mk | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-)