YAML Load Executes Arbitrary Code Compromising 470 Servers?!

YAML RCE APOCALYPSE! yaml.load() executes Python! Attacker uploads malicious config! Backdoor on all servers! 4.7M database exfiltrated! $47M breach! CISO ARRESTED!

#python #pythondisaster #yaml #remotecodeexecution #configloading #productionbug #pythonshorts #pythonwtf #deserialization #careerending #criminalcharges #pyyaml

https://www.youtube.com/watch?v=Lvvwf-SaDeE

Projekt #PyYAML odrzucił wsparcie dla Pythona bez GIL (#freethreading). Skutkiem tego, powstał fork skupiony na dodaniu tego wsparcia. Ze względu na ograniczone potrzeby forka, wspiera on tylko Pythona 3.13+. A że nie da się jeszcze wyrażać zależności warunkowo od wersji freethreading, inne paczki wymagają PyYAML-ft dla wersji Pythona >=3.13 (w tym zwyczajnej, z GIL-em) i zwykłego PyYAML dla <3.13.

Czy świat paczek Pythona nie jest super?

https://github.com/yaml/pyyaml/pull/830#issuecomment-2342475334
https://github.com/Instagram/LibCST/blob/18d4f6aded907bd11b683fa54dad32ca04f84f75/pyproject.toml#L21-L24

#Gentoo #Python

#PyYAML rejected #freethreading support. As a result, a new fork has been created with freethreading support. Given the fork's focus on freethreading, it supports only Python 3.13+. Given the lack of environment markers for freethreading (yet), packages end up depending on PyYAML-ft for >=3.13 (including non-freethreading builds), and PyYAML for <3.13.

Isn't #Python #packaging great?

https://github.com/yaml/pyyaml/pull/830#issuecomment-2342475334
https://github.com/Instagram/LibCST/blob/18d4f6aded907bd11b683fa54dad32ca04f84f75/pyproject.toml#L21-L24

#Gentoo

This library is depended on by a 867 packages ( #pyyaml , requests, hypothesis ), has a bogus CVE and is abandonware.

That's a bit under 1000 releases not counting the iceberg of closed source.

Who files these bogus CVEs, it is like setting $10,000 on fire, but in $100 piles all across the country.

https://pypi.org/project/py/

https://libraries.io/pypi/py

#python

ℹ️ He actualitzat #PyXavi a la versió v0.3.3, sol.lucionant un problema de dependències amb #PyYaml, que van publicar la 6.0 que al seu torn està trencada i es sol.luciona amb la 6.0.1

La versió ja està publicada a #PyPI
https://pypi.org/project/pyxavi/

Coses de #Python 

Wow I thought I was not affected by the PyYAML uncapped Cython disaster https://github.com/yaml/pyyaml/issues/601 but it turns out I can't install `docker-compose`.

I often refer to @henryiii blog post on the matter https://iscinumpy.dev/post/bound-version-constraints/ but I think in this case it was a big mistake not to cap Cython. In the end, build dependencies are throwaway dependencies, they are used in a temporary, isolated environment and then never used again.

#python #pyyaml #cython