Uploaded image for project: 'MCollective'
  1. MCollective
  2. MCO-794

Enable yaml safe_load as the default for MCO

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • MCO 2.10.2
    • MCO 2.10.4
    • None
    • Hide

      Reject any message contents that are not basic data types or symbols. This will impact anyone not careful about data serialization in their plugins if they're using YAML serialization with the ssl or aes connector plugins.

      Show
      Reject any message contents that are not basic data types or symbols. This will impact anyone not careful about data serialization in their plugins if they're using YAML serialization with the ssl or aes connector plugins.
    • Dumpling
    • 2
    • CVE-2017-2292
    • FF 2017-04-05, FF 2017-04-19, FF 2017-05-03
    • Bug Fix
    • The aes and ssl security plugins now use YAML.safe_load to deserialize messages. This avoids potential attack vectors from deserializing YAML into classes. Those plugins now require Ruby 2.1+ to use yaml deserialization.
    • No Action

    Description

      Update YAML serialization in the ssl and aes security plugins to use YAML.safe_load, allowing Symbol serialization. Add sufficient acceptance testing to feel confident in this change.

      YAML.safe_load is only supported in Ruby 2.1+. In older Ruby (which are all EOL) report that YAML serialization is no longer supported. Users can use Marshal instead if they don't care about security.

      Attachments

        Activity

          People

            john.duarte John Duarte
            bradejr Rob Braden
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Zendesk Support