Package: lava | Debian Sources

Package: lava / 2020.12-5+deb11u2

Metadata

Package	Version	Patches format
lava	2020.12-5+deb11u2	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
0001 lava_rest_app fix field name in filters.patch \| (download)	lava_rest_app/filters.py \| 4 2 + 2 - 0 ! 1 file changed, 2 insertions(+), 2 deletions(-)	lava_rest_app: fix field name in filters This used to pass by django-filter 2.1.0, but 2.4.0 will now throw an exception. Fixes #460
0002 lava_common.compat add support for PyYAML 5.4.patch \| (download)	lava_common/compat.py \| 13 13 + 0 - 0 ! tests/lava_dispatcher/test_multinode.py \| 4 2 + 2 - 0 ! tests/lava_scheduler_app/test_pipeline.py \| 4 2 + 2 - 0 ! 3 files changed, 17 insertions(+), 4 deletions(-)	lava_common.compat: add support for pyyaml 5.4 A few tests need to explicitly use an unsafe loader to be able to test YAML roundtrips. As a fix for a security issue, PyYAML 5.4 requires us to be even more specific to request an unsafe loader, what is a backwards-incompatible change. On older versions of PyYAML that don't provide UnsafeLoader, we need to fallback to the regular Loader class. Signed-off-by: Marc Deslauriers <marc.deslauriers@ubuntu.com> Signed-off-by: Antonio Terceiro <antonio.terceiro@linaro.org>
0003 Replace dynamic code execution in lava_server lavata.patch \| (download)	lava_server/lavatable.py \| 76 26 + 50 - 0 ! 1 file changed, 26 insertions(+), 50 deletions(-)	[patch] replace dynamic code execution in lava_server/lavatable.py `exec` was used to create query parameters for the tables searches. `exec` is extremely dangerous and can lead to remote code execution. It is also very slow. The new implementation is equivalent in function but uses dictionaries and unpacking to create arguments.
0004 share requires.py fix building for debian backports .patch \| (download)	share/requires.py \| 2 2 + 0 - 0 ! 1 file changed, 2 insertions(+)	[patch] share/requires.py: fix building for debian -backports and -security suites
0005 Use defusedxml for XMLRPC to prevent DoS attacks.patch \| (download)	docker/lava-server-base/Dockerfile \| 2 1 + 1 - 0 ! linaro_django_xmlrpc/models.py \| 3 3 + 0 - 0 ! share/requirements/debian/bullseye.yaml \| 2 2 + 0 - 0 ! share/requirements/debian/buster.yaml \| 2 2 + 0 - 0 ! share/requirements/debian/unstable.yaml \| 2 2 + 0 - 0 ! 5 files changed, 10 insertions(+), 1 deletion(-)	[patch] use `defusedxml` for xmlrpc to prevent dos attacks `defusedxml` is a patched XML python library that fixes many issues with the standard library XML and prevents attacks such as Billion laughs attack. https://en.wikipedia.org/wiki/Billion_laughs_attack `defusedxml` provides a `defusedxml.xmlrpc.monkey_patch` call which will patch the `xmlrpc` standard library module with the safe XML decoders. This patch enables XML protections once a Dispatcher class is initiated. The Dispatcher is the one that uses the `xmlrpc.client.loads` call to parse XML from the HTTP call.

1