Ubuntu
pyyaml package

CVE-2020-14343

Asked by Andrew Killen

I am currently running fully patched Ubuntu Server 20.04 LTS in my environment. Our vulnerability scan is flagging pyyaml 5.3.1 as vulnerable to 2020-14343. When I look at the NIST page for 2020-14343 (https://nvd.nist.gov/vuln/detail/CVE-2020-14343#range-9368013) I see that pyyaml 5.1 up to 5.4 (excluding) are vulnerable, which tracks with my vulnerability scan flagging this package as vulnerable.

My question is around the fact that all Ubuntu documentation, including launchpad (https://launchpad.net/ubuntu/+source/pyyaml/5.3.1-1ubuntu0.1), seem to indicate that CVE-2020-14343 was patched in 5.3.1? Who is right?

I also don't seem to have a straightforward path to update to pyyaml 5.4.1 in Ubuntu 20.04. Is there a documented path forward for this? I have a less than ideal plan, but would like to avoid it.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu pyyaml Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Best Manfred Hampl (m-hampl) said : 		#1

see https://ubuntu.com/security/CVE-2020-14343
and https://ubuntu.com/security/notices/USN-4940-1
and the change log part in https://launchpad.net/ubuntu/+source/pyyaml/5.3.1-1ubuntu0.1

Ubuntu's strategy is not upgrading packages in already-published releases to higher package version, but applying a patch to the older version of the package to fix the vulnerability.

So "standard pyyaml 5.3.1" is vulnerable, but "Ubuntu's pyyaml 5.3.1-1ubuntu0.1" is not vulnerable, because it has been fixed.

Vulnerability scanners that look only at the version number, will still flag the fixed Ubuntu versions as vulnerable.

Revision history for this message
Andrew Killen (andrewbkillen) said : 		#2

Thanks Manfred Hampl, that solved my question.

Revision history for this message
Andrew Killen (andrewbkillen) said : 		#3

Just wanted to follow up on this. I marked Manfred's answer as having solved my problem. I opened a support ticket with my vulnerability scan vendor and they are looking into the issue.