Skip to content

[19.03 backport] vendor: Bump gopkg.in/yaml.v2#2119

Merged
andrewhsu merged 1 commit into
docker:19.03from
thaJeztah:19.03_backport_bump_yaml.v2_2.2.3
Oct 3, 2019
Merged

[19.03 backport] vendor: Bump gopkg.in/yaml.v2#2119
andrewhsu merged 1 commit into
docker:19.03from
thaJeztah:19.03_backport_bump_yaml.v2_2.2.3

Conversation

@thaJeztah

@thaJeztah thaJeztah commented Oct 1, 2019
edited by kolyshkin
Loading

Copy link
Copy Markdown
Member

backport of #2117

To mitigate against malicious YAML (kubernetes/kubernetes#83253), we had implemented our own patch to the yams.v2 library. Now that there's an upstream fix, this PR brings us back to using the upstream library.

Description for the changelog

  • cli: Mitigate against YAML files that has excessive aliasing

@chris-crone @thaJeztah
vendor: Bump gopkg.in/yaml.v2
29e3a70 
Signed-off-by: Christopher Crone <christopher.crone@docker.com>
(cherry picked from commit 91cf8b0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 19.03.3 milestone Oct 1, 2019
@thaJeztah

thaJeztah commented Oct 1, 2019

Copy link
Copy Markdown
Member Author

ping @silvin-lubecki @chris-crone @vdemeester PTAL

chris-crone
chris-crone approved these changes Oct 1, 2019
View reviewed changes

@chris-crone chris-crone left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kolyshkin

kolyshkin commented Oct 1, 2019

Copy link
Copy Markdown
Contributor

Do we need this for 19.03.3?

thaJeztah
thaJeztah commented Oct 2, 2019
View reviewed changes
Comment thread vendor/gopkg.in/yaml.v2/decode.go
}

func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
d.decodeCount++

@thaJeztah thaJeztah Oct 2, 2019

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kolyshkin not critical, but it probably won't hurt to have; the beef of the change is in this file (although their fix is a bit weird)

silvin-lubecki
silvin-lubecki approved these changes Oct 2, 2019
View reviewed changes

@silvin-lubecki silvin-lubecki left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewhsu andrewhsu merged commit 2355349 into docker:19.03 Oct 3, 2019
@thaJeztah thaJeztah mentioned this pull request Oct 3, 2019
Merged
@thaJeztah thaJeztah deleted the 19.03_backport_bump_yaml.v2_2.2.3 branch October 4, 2019 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silvin-lubecki silvin-lubecki silvin-lubecki approved these changes

+1 more reviewer

@chris-crone chris-crone chris-crone approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

impact/changelog status/2-code-review

Projects

None yet

Milestone

19.03.3

Development

Successfully merging this pull request may close these issues.

6 participants

@thaJeztah @kolyshkin @chris-crone @silvin-lubecki @andrewhsu @GordonTheTurtle