Compose: Allow pyyaml version >4 in setup.py
hello!
I recently received this Github alert on a project because I'm using a pyyaml version <4.2b1:
high severity
Vulnerable versions: < 4.2b1
Patched version: 4.2b1
In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.
After some research it seems that it's because docker-compose require PyYAML >= 3.10, < 4 in setup.py :
https://github.com/docker/compose/blob/64633a81cc62c42b6379a5d0a1a454a9f47df458/setup.py#L35
Is there any contraindication to not authorize version >4 ? Thanks.
qboot
All 5 comments
Hi @qboot
The vulnerable code is not currently used in our code base (Compose only ever calls safe_load). That said, we'll definitely look into upgrading the dependency to avoid issues cropping up in the future.
shin-
on 7 Jan 2019
ERROR: docker-compose 1.24.0 has requirement PyYAML<4.3,>=3.10, but you'll have pyyaml 5.1 which is incompatible.
Any plans for this?
hakan458
on 21 May 2019
ERROR: docker-compose 1.24.0 has requirement PyYAML<4.3,>=3.10, but you'll have pyyaml 5.1 which is incompatible.Any plans for this?
I am having the same error for my docker image, did you find any solution yet?
mayankkgandhi
on 17 Jun 2019
I'm also getting this error when using sagemaker, and it tries to run docker-compose:
pkg_resources.ContextualVersionConflict: (PyYAML 5.1 (c:\users\tanner\anaconda3\lib\site-packages), Requirement.parse('PyYAML<4.3,>=3.10'), {'docker-compose'})
Edit: I found this thread https://github.com/docker/compose/issues/6619
tannergilligan
on 30 Jun 2019
I ran into the same issue trying to use sagemaker and keras. It can be resolved by using PyYAML==4.2b1 -- see swagger-atlas/atlas/issues/7
rmwenzel
on 31 Aug 2019
Related issues
Hendrik-H
路
3Comments
HackerWilson
路
3Comments
dimsav
路
3Comments
giggio
路
3Comments
bergtwvd
路
3Comments
Most helpful comment
Any plans for this?