oss-sec mailing list archives
CVE request for Django-piston and Tastypie
From: David Black <disclosure () d1b org>
Date: Wed, 2 Nov 2011 04:11:28 +1100
"It was discovered that both Piston and Tastypie share a similar vulnerability with respect to their de-serialization of YAML post data. Both Piston and Tastypie used the yaml.load method, which is unsafe. In certain circumstances this could be used to allow remote execution of arbitrary code." [0] Can a CVE be assigned to both Tastypie and Django-piston regarding these issues ? [0] https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/
Current thread:
- CVE request for Django-piston and Tastypie David Black (Nov 01)
- Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 01)
- Re: CVE request for Django-piston and Tastypie Vincent Danen (Nov 01)
- Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 01)
- Re: CVE request for Django-piston and Tastypie Vincent Danen (Nov 01)
- Re: CVE request for Django-piston and Tastypie David Black (Nov 01)
- Re: Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 02)
- Re: CVE request for Django-piston and Tastypie Kurt Seifried (Nov 01)