elasticsearch-curator==5.7.6 security breach with pyyaml==3.12

[zilvinasu]

Using latest elasticsearch-curator results in security breach report by the GitHub

Expected Behavior

Newer version should be used that addresses the fix, i.e. pyyaml >=4.2b1 according to the suggestion by the GitHub security reports

Actual Behavior

pyyaml==3.12 is used, resulting in the security vulnerability report

Detailed Description

More information about the security breach at: https://nvd.nist.gov/vuln/detail/CVE-2017-18342

[untergeek]

This is a known issue. There are problems, however, with pyyaml 5.1.1, and until 5.2 is released, or until I am able to completely rewrite Curator in a way that does not use environment variables the way it currently does — which will be a breaking change — I am unable to just simply replace pyyaml 3.x with pyyaml >= 4.2b1.

This will be addressed in the next major version of Curator either way. I understand the nature of the CVE. It is a problem, yes. But it's also fairly easy to work around, as it's pretty easy to work around monitoring changes to the different YAML files to ensure nothing has been added.

[zilvinasu]

@untergeek ok, thanks for the information, regarding the next major release, is there some approximate ETA for that?

[untergeek]

No, not yet.

[andytom]

PyYaml 5.2 has been released (https://pypi.org/project/PyYAML/#history) can Curator be upgraded to use this?

[untergeek]

Not without some breaking API changes. It's definitely on tap, but I'm rather busy, unfortunately, and Curator isn't my top priority. I hope to have more time over the holidays, however. We'll see what I'm able to crank out.

[hydrapolic]

According to https://bugs.gentoo.org/713342, curator is the only package blocking the removal of vulnerable pyyaml in Linux Gentoo.

[mrkeelan]

Not without some breaking API changes. It's definitely on tap, but I'm rather busy, unfortunately, and Curator isn't my top priority. I hope to have more time over the holidays, however. We'll see what I'm able to crank out.

What are the breaking API changes effected by this?

[borissnd]

@untergeek, following up on @zilvinasu 's comment, is there an ETA on the next major version release?

[untergeek]

@borissnd Sorry, no ETA. It's a pain point for me, as I am doing Curator in my spare time now. I changed roles at Elastic and am no longer on the engineering team, and ILM/SLM cover the basic (but not all) functionality Curator provides.

To answer @mrkeelan the breaking changes will be for those who are using environment variables to pass settings to Curator. It will be a bad experience no matter when I make the change. I was hoping to do this for a major version, but given the security hole here, I will probably just put the changes in sooner rather than later, and apologize for the breaking changes.

[untergeek]

This has been addresssed in #1596 which is awesome, because it required no API-level changes to how PyYAML works. Curator 5.8.4 will be released soon.