oss-sec mailing list archives
Re: CVE request for Django-piston and Tastypie
From: Vincent Danen <vdanen () redhat com>
Date: Tue, 1 Nov 2011 15:58:05 -0600
* [2011-11-01 13:15:53 -0600] Kurt Seifried wrote:
On 11/01/2011 11:11 AM, David Black wrote:y with respect to their de-serialization of YAML post data. Both Piston and Tastypie used the yaml.load method, which is unsafe. In certainCan you please send me links for Piston and Tastypie announcements/code commits showing the vuln please? Thanks.
Can't speak for Tastypie (we don't ship it so I didn't look), but for Piston: https://bitbucket.org/jespern/django-piston/changeset/91bdaec89543 https://bugzilla.redhat.com/show_bug.cgi?id=750658 There is no Piston announcement that I can see. --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request for Django-piston and Tastypie David Black (Nov 01)
- Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 01)
- Re: CVE request for Django-piston and Tastypie Vincent Danen (Nov 01)
- Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 01)
- Re: CVE request for Django-piston and Tastypie Vincent Danen (Nov 01)
- Re: CVE request for Django-piston and Tastypie David Black (Nov 01)
- Re: Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 02)
- Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 01)