oss-sec mailing list archives
Re: CVE request for Django-piston and Tastypie
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 01 Nov 2011 16:27:49 -0600
On 11/01/2011 03:58 PM, Vincent Danen wrote:
* [2011-11-01 13:15:53 -0600] Kurt Seifried wrote:On 11/01/2011 11:11 AM, David Black wrote:y with respect to their de-serialization of YAML post data. Both Piston and Tastypie used the yaml.load method, which is unsafe. In certainCan you please send me links for Piston and Tastypie announcements/code commits showing the vuln please? Thanks.Can't speak for Tastypie (we don't ship it so I didn't look), but for Piston: https://bitbucket.org/jespern/django-piston/changeset/91bdaec89543 https://bugzilla.redhat.com/show_bug.cgi?id=750658 There is no Piston announcement that I can see.
Please use CVE-2011-4103 for the Piston yaml.load issue. -- -Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE request for Django-piston and Tastypie David Black (Nov 01)
- Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 01)
- Re: CVE request for Django-piston and Tastypie Vincent Danen (Nov 01)
- Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 01)
- Re: CVE request for Django-piston and Tastypie Vincent Danen (Nov 01)
- Re: CVE request for Django-piston and Tastypie David Black (Nov 01)
- Re: Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 02)
- Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 01)