The fix made in PyYAML for CVE-2020-1747 was not sufficient to resolve the issue.
Created PyYAML tracking bugs for this issue:
Affects: fedora-all [bug 1860469]
Created python2-pyyaml tracking bugs for this issue:
Affects: epel-all [bug 1860470]
Created python3-PyYAML tracking bugs for this issue:
Affects: epel-all [bug 1860468]
OpenStack: set to 'notaffected' because the packaged RHOSP version (PyYAML-3.10-11.el7) doesn't have the FullLoader code (lib/yaml/loader.py and constructor.py).
Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1.
The fix for CVE-2020-1747 was to implement a blacklist that prevented some properties to be set when deserializing python objects. However, it is still possible to bypass such blacklist by carefully nesting objects.
Ansible Tower 3.7 uses affected version of PyYAML 3.12 from RHEL, but the use of load() is specified with a SafeLoader when it is called. So Ansible Tower and Ansible Engine are not affected.
Red Hat Quay 3.3 uses the vulnerable load function, but only to parse the Nginx configuration file, which only contains trusted data.
Even though the CVSSv3 for this flaw is 9.8, the Impact has been set to Moderate because PyYAML provides a specific method to deal with untrusted input, which is `yaml.safe_load`. `yaml.safe_load` or the SafeLoader loader should be used whenever the input YAML can be modified by a malicious user.
Upstream opinion on the topic: https://github.com/yaml/pyyaml/issues/420#issuecomment-696752389 .
Oops sorry closed the wrong bug.
Currently getting fixed in Fedora here - https://bugzilla.redhat.com/show_bug.cgi?id=1916496
Once it goes stable I'll update the fedora CVE bug.