CVE-2017-18342

Advisory

Bokeh before 1.0.4 used a Pyyaml version that was vulnerable to CVE-2017-18342.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

--------------------
* bugfixes:
- 8558 [py2] Safer alternative fix for unicode notebook issue in python 2
* features:
- 8513 [notebook] Strip out ipython magics when serving notebooks
* tasks:
- 8207 Adding/updating boilerplate code
- 8525 [component: tests] Don't resize window when running images tests
- 8533 [component: build] Remove warning about `gulp build` in prepare.js
- 8534 [component: docs] Docs tweak to add note about bokeh_dev and apps
- 8541 Pyyaml version is vulnerable to cve-2017-18342
- 8543 [component: server] Bad error message for nonexistent bokeh serve target
- 8548 [component: docs] Add small documentation to slider callback_policy which only apply to customjs
- 8550 [component: docs] Fix-up bokeh_dev docs (follow-up)
- 8553 Add model, event, and populate bokeh.models __all__
- 8555 [py2] Unicode fix when serving notebooks on python 2
- 8556 [component: docs] Correct three minor typos

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342
• https://github.com/yaml/pyyaml/pull/74
• https://github.com/yaml/pyyaml/blob/master/CHANGES
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
• https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
• https://github.com/marshmallow-code/apispec/issues/278
• https://github.com/yaml/pyyaml/issues/193
• https://security.gentoo.org/glsa/202003-45