Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[19.03 backport] vendor: Bump gopkg.in/yaml.v2 #2119

Merged
merged 1 commit into from
Oct 3, 2019
Merged

[19.03 backport] vendor: Bump gopkg.in/yaml.v2 #2119

merged 1 commit into from
Oct 3, 2019

Conversation

thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Oct 1, 2019
edited by kolyshkin
Loading

backport of #2117

To mitigate against malicious YAML (kubernetes/kubernetes#83253), we had implemented our own patch to the yams.v2 library. Now that there's an upstream fix, this PR brings us back to using the upstream library.

Description for the changelog

  • cli: Mitigate against YAML files that has excessive aliasing

@chris-crone @thaJeztah
vendor: Bump gopkg.in/yaml.v2
29e3a70 
Signed-off-by: Christopher Crone <[email protected]>
(cherry picked from commit 91cf8b0)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah added this to the 19.03.3 milestone Oct 1, 2019
@thaJeztah
Copy link
Member Author

ping @silvin-lubecki @chris-crone @vdemeester PTAL

chris-crone
chris-crone approved these changes Oct 1, 2019
View reviewed changes
Copy link
Member

@chris-crone chris-crone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kolyshkin
Copy link
Contributor

Do we need this for 19.03.3?

thaJeztah
thaJeztah commented Oct 2, 2019
View reviewed changes
vendor/gopkg.in/yaml.v2/decode.go
@@ -315,6 +319,13 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm
}

func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
d.decodeCount++
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kolyshkin not critical, but it probably won't hurt to have; the beef of the change is in this file (although their fix is a bit weird)

silvin-lubecki
silvin-lubecki approved these changes Oct 2, 2019
View reviewed changes
Copy link
Contributor

@silvin-lubecki silvin-lubecki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewhsu andrewhsu merged commit 2355349 into docker:19.03 Oct 3, 2019
@thaJeztah thaJeztah mentioned this pull request Oct 3, 2019
Merged
@thaJeztah thaJeztah deleted the 19.03_backport_bump_yaml.v2_2.2.3 branch October 4, 2019 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chris-crone chris-crone chris-crone approved these changes

@silvin-lubecki silvin-lubecki silvin-lubecki approved these changes

Assignees
No one assigned
Labels
impact/changelog status/2-code-review
Projects
None yet
Milestone
19.03.3
Development

Successfully merging this pull request may close these issues.
6 participants
@thaJeztah @kolyshkin @chris-crone @silvin-lubecki @andrewhsu @GordonTheTurtle